Skip to main content

Totolink NR1800X CVE-2026-7546

| EUVDEUVD-2026-26473 HIGH
Buffer Overflow (CWE-119)
2026-05-01 cna@vuldb.com
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 03:30 vuln.today
EUVD ID Assigned
May 01, 2026 - 03:22 euvd
EUVD-2026-26473
Analysis Generated
May 01, 2026 - 03:22 vuln.today
CVE Published
May 01, 2026 - 03:16 nvd
HIGH 8.9

DescriptionCVE.org

A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. The impacted element is the function find_host_ip of the component lighttpd. Such manipulation of the argument Host leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Stack-based buffer overflow in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows remote unauthenticated attackers to execute arbitrary code or crash the device by sending malicious HTTP Host headers to the lighttpd web server. The vulnerability has publicly available exploit code (CVSS E:P) but is not currently listed in CISA KEV. EPSS data unavailable, but the combination of remote unauthenticated attack vector (AV:N/PR:N), low complexity (AC:L), and confirmed POC suggests elevated real-world risk for internet-facing devices running this specific firmware version.

Technical ContextAI

The vulnerability resides in the find_host_ip function within the lighttpd web server component integrated into Totolink NR1800X router firmware. Lighttpd is a lightweight HTTP server commonly embedded in IoT devices and routers. The flaw is a classic stack-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) triggered by insufficient input validation when processing the HTTP Host header. When an oversized or specially crafted Host header is sent to the web server, the find_host_ip function copies data into a fixed-size stack buffer without proper bounds checking, overwriting adjacent memory structures. This enables control of the instruction pointer and arbitrary code execution within the lighttpd process context, which typically runs with elevated privileges on embedded router platforms.

RemediationAI

No vendor-released patch or updated firmware version has been identified in available references at time of analysis. Users should monitor Totolink's official website at totolink.net and their product support pages for security advisories and firmware updates addressing CVE-2026-7546. Until a patch is released, implement the following compensating controls: disable remote administration access to the router's web interface from the WAN side (typically found under Administration or Remote Management settings), restricting access to LAN-only which prevents internet-based exploitation. Change the default HTTP/HTTPS management ports to non-standard values to reduce automated scanning visibility. Implement network segmentation to isolate the router's management interface from untrusted network segments. Deploy intrusion detection signatures to detect HTTP requests with anomalously long Host headers (greater than 256 bytes) targeting the device. Note that disabling web-based management entirely eliminates the attack surface but requires alternative configuration methods via SSH or serial console. Consider replacing the device with alternative hardware if Totolink does not release timely security updates.

Share

CVE-2026-7546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy