PatchSiren cyber security CVE debrief
CVE-2026-12221 Yealink CVE debrief
A vulnerability was found in Yealink SIP-T46U 108.86.0.118. This impacts the function sprintf of the file /api/upgrade/upgrade of the component Firmware Chunk Upload Handler. Performing a manipulation of the argument uid/start_offset results in stack-based buffer overflow. The attack needs to be approached within the local network. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
- Vendor
- Yealink
- Product
- SIP-T46U
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Yealink SIP-T46U 108.86.0.118 within local networks are at risk due to the potential for stack-based buffer overflow attacks.
Technical summary
The vulnerability, CVE-2026-12221, is a stack-based buffer overflow issue (CWE-119, CWE-121) in the Firmware Chunk Upload Handler of Yealink SIP-T46U 108.86.0.118. It has a CVSS score of 7.3 and is considered HIGH severity.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor as soon as available.
- Limit access to the Firmware Chunk Upload Handler to only necessary personnel.
- Monitor network traffic for suspicious activity related to the Yealink SIP-T46U device.
Evidence notes
The CVE record was published and modified on 2026-06-15T06:16:24.263Z. The vulnerability details were obtained from the NVD and CVE.org.
Official resources
Publicly disclosed on 2026-06-15.