CVE-2026-26736 Overview
CVE-2026-26736 is a stack-based buffer overflow vulnerability affecting TOTOLINK A3002RU_V3 firmware version V3.0.0-B20220304.1804. The flaw resides in the formIpv6Setup function within the boa web server binary. An authenticated attacker can supply an oversized value to the static_ipv6 parameter to overflow a fixed-size stack buffer. Successful exploitation leads to arbitrary code execution on the router with full compromise of confidentiality, integrity, and availability. The vulnerability is tracked under [CWE-787] (Out-of-bounds Write) and [CWE-121] (Stack-based Buffer Overflow).
Critical Impact
Network-adjacent attackers with low-privilege credentials can corrupt the stack of the router's web management daemon to execute arbitrary code and seize control of the device.
Affected Products
- TOTOLINK A3002RU_V3 hardware revision V3
- TOTOLINK A3002RU firmware version V3.0.0-B20220304.1804
- formIpv6Setup handler within the boa web server component
Discovery Timeline
- 2026-02-17 - CVE-2026-26736 published to the National Vulnerability Database
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-26736
Vulnerability Analysis
The vulnerability resides in the formIpv6Setup function exposed by the boa web server on the TOTOLINK A3002RU_V3 router. The handler processes IPv6 configuration submitted through the device web interface. The static_ipv6 HTTP parameter is copied into a fixed-size stack buffer without bounds enforcement. Supplying a long string overwrites adjacent stack memory, including saved return addresses and frame pointers. An authenticated attacker on the management network can hijack control flow of the web server process. Because TOTOLINK SOHO routers typically run the boa daemon as root, code execution inherits root privileges on the MIPS-based device.
Root Cause
The root cause is missing length validation on user-controlled input before invoking an unsafe string copy operation. The static_ipv6 parameter is treated as a trusted, well-formed IPv6 string and written directly into a stack-allocated buffer. No call to strncpy, snprintf, or equivalent bounded copy protects the destination. This pattern matches [CWE-121] stack-based buffer overflow conditions common to embedded HTTP form handlers in consumer router firmware.
Attack Vector
Exploitation requires network reachability to the router's HTTP management interface and valid low-privilege credentials. The attacker issues a crafted POST request to the IPv6 configuration endpoint with an oversized static_ipv6 value. Stack corruption then redirects execution to attacker-controlled shellcode or a ROP chain. Routers exposing the web interface to wider network segments, including misconfigured WAN-side management, broaden the exploitable surface. Public proof-of-concept material is referenced in the GitHub PoC repository.
No verified exploit code is reproduced here. See the linked repository for technical reproduction details.
Detection Methods for CVE-2026-26736
Indicators of Compromise
- HTTP POST requests to IPv6 setup endpoints containing abnormally long static_ipv6 parameter values, often exceeding 100 bytes or containing non-printable bytes.
- Unexpected restarts or crashes of the boa web server process recorded in router system logs.
- Outbound connections from the router to unfamiliar IP addresses or unexpected listening services on the device after configuration changes.
Detection Strategies
- Inspect web management traffic for static_ipv6 payloads that fail IPv6 syntax validation or exceed expected length boundaries.
- Monitor for repeated authenticated requests to formIpv6Setup from a single source, indicating exploitation attempts or fuzzing.
- Correlate router authentication events with subsequent configuration form submissions to identify credential-based abuse.
Monitoring Recommendations
- Forward router syslog and web server logs to a centralized logging platform for retention and search.
- Alert on new processes, open ports, or firewall rule changes on the router that were not initiated by administrators.
- Track administrative credential use against TOTOLINK devices and flag logins from unusual source addresses.
How to Mitigate CVE-2026-26736
Immediate Actions Required
- Disable remote (WAN-side) access to the router's web management interface and restrict LAN-side access to trusted administrative hosts.
- Rotate all administrative credentials on affected TOTOLINK A3002RU_V3 devices and enforce strong, unique passwords.
- Segment vulnerable routers from sensitive internal networks until a vendor patch is installed.
Patch Information
No vendor advisory or fixed firmware version is referenced in the NVD entry at the time of publication. Administrators should monitor the TOTOLINK support site for an updated firmware release that addresses the formIpv6Setup buffer overflow and apply it as soon as it becomes available.
Workarounds
- Restrict access to the HTTP management interface using firewall rules or access control lists that limit source IP addresses.
- Replace end-of-life or unsupported TOTOLINK A3002RU_V3 devices with current-generation hardware that receives active security maintenance.
- Place the router behind a network segmentation boundary and require VPN access for administrative tasks.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
