CVE-2026-26731
Published: 17 February 2026
Summary
CVE-2026-26731 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Totolink A3002Ru Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like the routernamer parameter to prevent stack-based buffer overflows from oversized or malformed data.
SI-16 enforces memory protections such as stack canaries, DEP, and ASLR that directly mitigate exploitation of stack-based buffer overflows.
SI-2 mandates timely flaw remediation, including patching the specific buffer overflow in the formDnsv6 function of the Boa web server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing Boa web server (formDnsv6) enables remote exploitation for RCE on network device (T1190); low-priv authenticated access yields full control (C/I/A high), directly supporting privilege escalation (T1068).
NVD Description
TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the routernamer`parameter in the formDnsv6 function.
Deeper analysisAI
CVE-2026-26731 is a stack-based buffer overflow vulnerability affecting the TOTOLINK A3002RU router on firmware version V2.1.1-B20211108.1455. The flaw occurs in the formDnsv6 function when processing the routernamer parameter, as disclosed on 2026-02-17. It is associated with CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers with low privileges, such as authenticated users, can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction. Successful exploitation enables high-impact consequences, including unauthorized disclosure of sensitive data, modification of system resources, and denial of service through complete control over the affected component.
A proof-of-concept demonstrating the stack overflow in the Boa web server handling formDnsv6 is available at https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RU-boa-formDnsv6-StackOverflow. No vendor advisories or patches are referenced in the available information.
Details
- CWE(s)