CVE-2026-12220 | Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload uid stack-based overflow

A vulnerability, which was classified as critical, was found in Yealink SIP-T46U 108.86.0.118. This affects the function mod_upgrade.SparePartsUpload of the file /api/upgrade/accupgradebychunk of the component Firmware Chunk Upload handler. Such manipulation of the argument uid leads to stack-based buffer overflow.

This vulnerability is uniquely identified as CVE-2026-12220. The attack can only be initiated within the local network. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-12220 | Yealink SIP-T46U 108.86.0.118 Firmware Chunk Upload handler accupgradebychunk mod_upgrade.SparePartsUpload uid stack-based overflow

Post correlati

CVE-2024-10284 | ce21com CE21 Suite Plugin up to 2.2.0 on WordPress ce21_authentication_phrase authentication bypass

CVE-2024-1798 | Tutor LMS Plugin up to 2.2.0 on WordPress tutor_lp_export_xml authorization

CVE-2026-5691 | Totolink A7100RU 7.4cu.2313_b20191024 /cgi-bin/cstecgi.cgi setFirewallType firewallType os command injection

CVE-2024-13362 | Solid Plugin on WordPress Parameter url cross site scripting