Cyber Resilience

CVE-2026-7219

High

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7219 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Totolink N300RT (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7219 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the Totolink N300RT router firmware version 3.4.0-B20250430. The flaw exists in an unknown function of the /boafrm/formIpQoS file, where manipulation of the "entry_name" argument triggers the overflow. This issue was published on 2026-04-28 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation over the network with low attack complexity, though it requires high privileges (PR:H), such as authenticated administrative access. A successful attack can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution and full device compromise.

Advisories referenced in VulDB (vuldb.com/vuln/359819 and related entries) document the vulnerability details and CTI. A proof-of-concept exploit is publicly available in a GitHub repository (github.com/xiaohyang-ai/IoT-Vulnerability-Research/tree/main/Vendors/TOTOLINK/N300RT/formIpQoS-Bof). The Totolink vendor website (totolink.net) is also listed among references, but specific patch or mitigation guidance is not detailed in the provided information.

The published exploit heightens the risk for unpatched Totolink N300RT devices running the affected firmware.

EU & UK References

Vulnerability details

A flaw has been found in Totolink N300RT 3.4.0-B20250430. This affects an unknown function of the file /boafrm/formIpQoS. Executing a manipulation of the argument entry_name can lead to buffer overflow. The attack may be performed from remote. The exploit has…

more

been published and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in the router's public-facing web form handler (/boafrm/formIpQoS) directly enables remote exploitation of a public-facing application for arbitrary code execution and device compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-11296Shared CWE-119, CWE-120
CVE-2025-10942Shared CWE-119, CWE-120
CVE-2026-8775Shared CWE-119, CWE-120
CVE-2026-1328Shared CWE-119, CWE-120
CVE-2026-3701Shared CWE-119, CWE-120
CVE-2025-15459Shared CWE-119, CWE-120
CVE-2025-11356Shared CWE-119, CWE-120
CVE-2026-8260Shared CWE-119, CWE-120
CVE-2026-2202Shared CWE-119, CWE-120
CVE-2025-12232Shared CWE-119, CWE-120

Affected Assets

Totolink
N300RT
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and correction of the buffer overflow flaw in the Totolink N300RT firmware.

prevent

Prevents buffer overflow exploitation by enforcing validation of the 'entry_name' argument in the /boafrm/formIpQoS function.

prevent

Provides runtime memory protections like non-executable stacks or ASLR to hinder arbitrary code execution from the buffer overflow.

References