CVE-2022-26376

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.

Published: Aug 6, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-26376
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-787

Affected Software
References

Software	From	Fixed in
asus / asuswrt	-	3.0.0.4.386_48706
asuswrt-merlin / new_gen	-	386.7
asus / xt8_firmware	-	3.0.0.4.386_48706
asus / tuf-ax3000_v2_firmware	-	3.0.0.4.386_48750
asus / xd4_firmware	-	3.0.0.4.386_48790
asus / et12_firmware	-	3.0.0.4.386_48823
asus / gt-ax6000_firmware	-	3.0.0.4.386_48823
asus / xt12_firmware	-	3.0.0.4.386_48823
asus / rt-ax58u_firmware	-	3.0.0.4.386_48908
asus / xt9_firmware	-	3.0.0.4.388_20027
asus / xd6_firmware	-	3.0.0.4.386_49356
asus / gt-ax11000_pro_firmware	-	3.0.0.4.386_48996
asus / gt-axe16000_firmware	-	3.0.0.4.386_48786
asus / rt-ax86u_firmware	-	3.0.0.4.386_49447
asus / rt-ax68u_firmware	-	3.0.0.4.386_49479
asus / rt-ax82u_firmware	-	3.0.0.4.386_49380
asus / rt-ax56u_firmware	-	3.0.0.4.386_49559
asus / rt-ax55_firmware	-	3.0.0.4.386_49559
asus / gt-ax11000_firmware	-	3.0.0.4.386_49559

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511

Vulnerability Database

289,871

CVE-2022-26376