Which versions of Yealink SIP-T46U are affected by CVE-2026-12222?

Yealink SIP-T46U IP phones running firmware 108.86.0.118 contain a memory corruption vulnerability with publicly available exploit code and no vendor patch currently available.

Is there a public PoC exploit available for CVE-2026-12222?

Yes, a public proof-of-concept exploit is available for CVE-2026-12222. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-12222?

24 hours: Identify all Yealink SIP-T46U devices running firmware 108.86.0.118; implement network segmentation to restrict LAN access to phones from trusted networks only. 7 days: Complete risk assessment; enable network monitoring for suspicious access attempts to phone web interfaces and BlueToothTest endpoints; disable Bluetooth and web administration if operationally feasible. 30 days: Develop long-term remediation strategy including device replacement or firmware alternatives; maintain network controls until vendor releases patched firmware.

Yealink SIP-T46U CVE-2026-12222

Q: What is the CVSS score of CVE-2026-12222?

CVE-2026-12222 has a CVSS 4.0 base score of 7.3 (High). CVSS vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-36695 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-06-15 VulDB

GHSA-3c47-ghg7-jxpp

Stack Overflow Buffer Overflow Sip T46U

7.3

CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY

7.3 HIGH

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.0 HIGH

Adjacent-network FastCGI endpoint requires LAN access (AV:A) and low-privilege web auth (PR:L); overflow yields full code execution on the phone, so C/I/A all High with unchanged scope.

3.1 AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Jun 15, 2026 - 06:28 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 15, 2026 - 06:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 15, 2026 - 06:22 vuln.today

cvss_changed

CVSS changed

Jun 15, 2026 - 06:22 NVD

8.6 (HIGH) 7.3 (HIGH)

Analysis Generated

Jun 15, 2026 - 06:20 vuln.today

DescriptionCVE.org

A vulnerability was determined in Yealink SIP-T46U 108.86.0.118. Affected is the function mod_webd.BlueToothTest of the file /api/inner/bttest of the component Web FastCGI Service. Executing a manipulation of the argument btMac/pin/reserved can lead to stack-based buffer overflow. The attack needs to be done within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Gain foothold on voice VLAN

Delivery

Authenticate to phone web UI with low-privilege creds

Exploit

POST oversized btMac/pin/reserved to /api/inner/bttest

Execution

Overflow stack in mod_webd.BlueToothTest

Persist

Hijack control flow in webd FastCGI worker

Impact

Execute code on phone and pivot into VoIP network

Access

Gain foothold on voice VLAN

Delivery

Authenticate to phone web UI with low-privilege creds

Exploit

POST oversized btMac/pin/reserved to /api/inner/bttest

Execution

Overflow stack in mod_webd.BlueToothTest

Persist

Hijack control flow in webd FastCGI worker

Impact

Execute code on phone and pivot into VoIP network

Vulnerability AssessmentAI

Exploitation	Attacker must reside on the same broadcast domain or routed-adjacent network as a Yealink SIP-T46U phone running firmware 108.86.0.118 (AV:A - not internet-reachable by default) and must hold valid low-privilege credentials to the phone's web management interface to invoke the /api/inner/bttest FastCGI endpoint (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, base 7.3) accurately reflects a high-impact but adjacency-limited bug: an attacker must already sit on the same LAN/VLAN as the phone and hold low-level credentials to reach the inner FastCGI endpoint, but once those gates are passed the overflow yields full confidentiality, integrity and availability loss on the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has gained a foothold on the corporate LAN - for example through a compromised workstation or rogue Wi-Fi client on the voice VLAN - authenticates to a SIP-T46U with weak or default user credentials and POSTs an oversized btMac/pin/reserved payload to /api/inner/bttest. The published proof-of-concept archive (T46U_mod_webd_BlueToothTest_off_by_one.zip) overflows the stack inside the webd FastCGI worker, giving the attacker code execution on the phone, which can then be used to wiretap calls, pivot deeper into the voice VLAN, or serve as a quiet persistence point on the internal network.
Remediation	No vendor-released patch identified at time of analysis - Yealink was contacted but did not respond, so administrators cannot currently upgrade to a fixed firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Yealink SIP-T46U devices running firmware 108.86.0.118; implement network segmentation to restrict LAN access to phones from trusted networks only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12218 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers wi

CVE-2026-12220 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w

CVE-2026-12221 HIGH This Week POC

7.3 Jun 15

Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers w

CVE-2026-12219 LOW Monitor POC

2.1 Jun 15

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary

CVE-2026-12223 LOW Monitor POC

2.0 Jun 15

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attacke

CVE-2026-12222 vulnerability details – vuln.today

Back

Yealink SIP-T46U CVE-2026-12222

Severity by source

CVSS VectorVendor: VulDB

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code