CVE-2026-7749
Published: 04 May 2026
Summary
CVE-2026-7749 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Notion (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the priDns argument in POST requests to prevent buffer overflow exploitation in the setWanConfig function.
Requires timely remediation of the disclosed buffer overflow flaw through firmware patching for Totolink N300RH routers.
Implements memory protections like stack guards or ASLR to mitigate successful buffer overflow leading to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing CGI handler (setWanConfig/priDns) on network device web interface enables remote authenticated exploitation for arbitrary code execution and full system compromise, directly mapping to T1190 (public app) and T1068 (priv esc from low-priv account).
NVD Description
A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument priDns leads to buffer overflow. The attack may be initiated…
more
remotely. The exploit has been disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-7749 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting Totolink N300RH routers running firmware version 3.2.4-B20220812. The flaw resides in the setWanConfig function within the /cgi-bin/cstecgi.cgi file, part of the POST Request Handler component. It is triggered by manipulating the priDns argument in a POST request, as disclosed on 2026-05-04.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. An attacker with low privileges can exploit it remotely over the network with low complexity and no user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution or system crashes.
Advisories and additional details are documented in references including VulDB entries (vuldb.com/vuln/360924, vuldb.com/vuln/360924/cti, vuldb.com/submit/807203), a public exploit disclosure at lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setWanConfig-34553a41781f80ed8500d9b8d54074f2, and the vendor site at totolink.net. The exploit has been publicly disclosed and may be used.
Details
- CWE(s)