PatchSiren cyber security CVE debrief
CVE-2026-12220 Yealink CVE debrief
A stack-based buffer overflow vulnerability has been discovered in Yealink SIP-T46U 108.86.0.118. The issue affects the `mod_upgrade.SparePartsUpload` function in the `/api/upgrade/accupgradebychunk` file of the Firmware Chunk Upload handler. Specifically, manipulation of the `uid` argument leads to the vulnerability. Notably, the attack can only be initiated within the local network. The exploit has been publicly disclosed, and although the vendor was contacted early about this disclosure, there was no response.
- Vendor
- Yealink
- Product
- SIP-T46U
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of Yealink SIP-T46U 108.86.0.118 within local networks should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by a stack-based buffer overflow in the `mod_upgrade.SparePartsUpload` function of the `/api/upgrade/accupgradebychunk` file. This occurs due to improper handling of the `uid` argument. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.3, indicating a High severity.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor as soon as they are available.
- Restrict access to the Firmware Chunk Upload handler to only trusted local network users.
- Monitor network traffic and system logs for potential exploitation attempts.
Evidence notes
The CVE-2026-12220 record was obtained from the official CVE database. Additional details were sourced from NVD and Vuldb.
Official resources
CVE-2026-12220 was published and modified on 2026-06-15T06:16:24.113Z.