Which versions of Yealink SIP-T46U are affected by CVE-2026-12221?

Yealink SIP-T46U IP phones (firmware 108.86.0.118) deployed across the organization contain a remotely exploitable memory corruption vulnerability with publicly available proof-of-concept code,…

Is there a public PoC exploit available for CVE-2026-12221?

Yes, a public proof-of-concept exploit is available for CVE-2026-12221. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-12221?

Within 24 hours: Identify all Yealink SIP-T46U devices running firmware 108.86.0.118 via inventory systems and network scans; implement network segmentation to isolate phones to separate VLANs if feasible. Within 7 days: Deploy firewall rules to restrict access to the /api/upgrade/upgrade endpoint from untrusted network segments; disable firmware upload functionality at the network level if operationally feasible; enable logging on phone administrative interfaces. Within 30 days: Contact Yealink for an updated firmware version beyond 108.86.0.118; evaluate replacement of unsupported phones with vendor-confirmed patched models if no update becomes available; implement mandatory network authentication (802.1X) for device ports if not already in place.

Yealink SIP-T46U CVE-2026-12221

Q: What is the CVSS score of CVE-2026-12221?

CVE-2026-12221 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-36694 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-06-15 VulDB

GHSA-3x75-g3h6-5r8m

Stack Overflow Buffer Overflow Sip T46U

7.3

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

7.3 HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.0 HIGH

Adjacent-network upload endpoint (AV:A), straightforward overflow (AC:L), requires low-privilege phone account (PR:L), no user interaction, full compromise of the phone firmware yields high C/I/A with no scope change.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 06:22 vuln.today

CVSS changed

Jun 15, 2026 - 06:22 NVD

8.6 (HIGH) 7.3 (HIGH)

DescriptionCVE.org

A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Gain LAN foothold on VoIP segment

Delivery

Authenticate to phone web API with low-priv account

Exploit

Send crafted POST to /api/upgrade/upgrade with oversized uid/start_offset

Install

Overflow stack buffer via sprintf

Hijack control flow on phone firmware

Execute

Execute arbitrary code on device

Impact

Pivot or eavesdrop on calls

Recon

Gain LAN foothold on VoIP segment

Delivery

Authenticate to phone web API with low-priv account

Exploit

Send crafted POST to /api/upgrade/upgrade with oversized uid/start_offset

Install

Overflow stack buffer via sprintf

Hijack control flow on phone firmware

Execute

Execute arbitrary code on device

Impact

Pivot or eavesdrop on calls

Vulnerability AssessmentAI

Exploitation	Attacker must reach the phone over the adjacent/local network (AV:A) and possess low-privilege credentials to the phone's web management interface (PR:L), and must be able to send POST requests to the /api/upgrade/upgrade Firmware Chunk Upload Handler with manipulated uid or start_offset parameters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:L/UI:N) places the attack on the adjacent network with low complexity and low privileges, which matches the description's statement that the attack must be approached from the local network and presumably requires a low-privilege account on the phone's web interface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has gained any foothold on the same LAN as the phone - for example a phished workstation or a guest-network bridge - authenticates to the phone's web API with a low-privilege account (or default/weak credentials), then sends a crafted POST to /api/upgrade/upgrade with an oversized uid or start_offset parameter that overflows the stack buffer reached via sprintf. Because publicly available exploit code exists, the attacker can reuse the published proof-of-concept to achieve code execution on the phone, potentially turning it into a covert audio-monitoring device or a pivot into the VoIP segment.
Remediation	No vendor-released patch identified at time of analysis, as Yealink did not respond to disclosure outreach - affected operators should monitor https://support.yealink.com for a future firmware release above 108.86.0.118 and apply it as soon as published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Yealink SIP-T46U devices running firmware 108.86.0.118 via inventory systems and network scans; implement network segmentation to isolate phones to separate VLANs if feasible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12218 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers wi

CVE-2026-12220 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w

CVE-2026-12222 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-netwo

CVE-2026-12219 LOW Monitor POC

2.1 Jun 15

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary

CVE-2026-12223 LOW Monitor POC

2.0 Jun 15

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attacke

CVE-2026-12221 vulnerability details – vuln.today

Back

Yealink SIP-T46U CVE-2026-12221

Severity by source

CVSS VectorVendor: VulDB

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code