CVE-2022-26376

2022-08-0521:18:47

CWE-787

talos

www.cve.org

asuswrt

asuswrt-merlin

memory corruption

remote code execution

http request

vulnerability

network request

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

9.8

Confidence

High

EPSS

0.007

Percentile

80.1%

JSON

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7… A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

CNA Affected

[
  {
    "vendor": "Asuswrt-Merlin",
    "product": "Asuswrt-Merlin New Gen",
    "versions": [
      {
        "version": "prior to 386.7",
        "status": "affected"
      }
    ]
  }
]