CVE-2021-35392 Overview
CVE-2021-35392 is a heap buffer overflow in the Realtek Jungle Software Development Kit (SDK) versions v2.x through v3.4.14B. The flaw resides in the WiFi Simple Config server, distributed as wscd or mini_upnpd, which implements the Universal Plug and Play (UPnP) and Simple Service Discovery Protocol (SSDP) services. The server unsafely crafts SSDP NOTIFY messages from the ST header of incoming M-SEARCH requests. Remote attackers reachable on the network can send a malformed M-SEARCH packet to corrupt the heap. The vulnerability affects a wide range of consumer and embedded routers because the Realtek SDK is redistributed across dozens of OEM firmware images.
Critical Impact
Unauthenticated network attackers can corrupt heap memory in the UPnP/SSDP daemon, leading to service crash and potential code execution paths on affected Realtek-based devices.
Affected Products
- Realtek rtl819x_jungle_software_development_kit versions v2.x up to v3.4.14B
- OEM router firmware bundling the wscd WiFi Simple Config binary
- OEM router firmware bundling the mini_upnpd binary (successor to miniigd)
Discovery Timeline
- 2021-08-16 - CVE-2021-35392 published to the National Vulnerability Database (NVD)
- 2025-08-13 - Last updated in the NVD database
Technical Details for CVE-2021-35392
Vulnerability Analysis
The WiFi Simple Config server listens for SSDP traffic on UDP port 1900. When an M-SEARCH discovery request arrives, the server extracts the ST (Search Target) header value and embeds it into an outbound SSDP NOTIFY response. The routine that builds the response writes attacker-controlled ST data into a fixed-size heap buffer without validating the input length. A long ST header overflows the buffer, corrupting adjacent heap metadata and program data. The weakness is classified as an out-of-bounds write under [CWE-787].
Because the SSDP service is exposed by default on the LAN interface, and in some OEM configurations on the WAN interface, any host capable of reaching UDP/1900 can trigger the overflow without authentication or user interaction.
Root Cause
The root cause is missing bounds checking when concatenating the received ST value into the response buffer. The Realtek SDK code path assumes the ST field conforms to a short, well-formed URN string, so it neither truncates the input nor validates length against the destination buffer size before the copy operation.
Attack Vector
An attacker sends a single UDP M-SEARCH datagram to port 1900 containing an oversized ST header. The malformed value flows directly into the heap buffer that builds the SSDP NOTIFY reply. The overflow can crash wscd or mini_upnpd, denying network services on the device. Depending on the heap layout and target architecture, the same primitive has been used in public research to pivot toward arbitrary code execution on MIPS and ARM Realtek-based devices.
No verified public code example is included here. Refer to the IoT Inspector Advisory on Realtek SDK and the Realtek SDK Advisory CVE-2021-35392 for technical analysis.
Detection Methods for CVE-2021-35392
Indicators of Compromise
- Repeated crashes or restarts of the wscd or mini_upnpd process on Realtek-based devices
- Inbound UDP traffic to port 1900 containing M-SEARCH requests with abnormally long ST headers
- Unexpected SSDP NOTIFY traffic originating from edge routers shortly after malformed discovery requests
Detection Strategies
- Inspect network traffic for SSDP M-SEARCH packets where the ST header length exceeds typical URN values (commonly 64 bytes)
- Identify exposed UDP/1900 services on the WAN side using external attack-surface scans
- Correlate device watchdog reboots with preceding inbound SSDP traffic in firewall logs
Monitoring Recommendations
- Enable NetFlow or packet capture on perimeter devices for UDP/1900 to baseline normal SSDP volume
- Alert on UPnP traffic crossing network segmentation boundaries where it should not be permitted
- Track firmware versions across the device fleet to identify hosts running vulnerable Realtek SDK builds
How to Mitigate CVE-2021-35392
Immediate Actions Required
- Identify all routers, access points, and IoT devices built on the Realtek rtl819x Jungle SDK
- Block external access to UDP port 1900 at the network perimeter
- Disable UPnP on affected devices when the feature is not required for business operations
- Apply OEM firmware updates that incorporate the patched Realtek SDK
Patch Information
Realtek published a fixed SDK and coordinated with downstream OEMs. Refer to the Realtek SDK Advisory CVE-2021-35392 for the official advisory and to the device manufacturer for firmware images that incorporate the corrected wscd / mini_upnpd binary. Devices running Realtek Jungle SDK versions later than v3.4.14B with vendor patches applied are no longer vulnerable.
Workarounds
- Disable the WiFi Simple Config / UPnP service on the device management interface when feasible
- Filter inbound UDP/1900 at upstream firewalls so SSDP traffic cannot reach the device from untrusted networks
- Place vulnerable embedded devices on isolated VLANs to limit lateral exposure until firmware updates are applied
# Example perimeter firewall rule to block external SSDP traffic
iptables -A INPUT -p udp --dport 1900 -i eth_wan -j DROP
iptables -A FORWARD -p udp --dport 1900 -i eth_wan -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
