CVE-2026-10187: Totolink N300RH Stack Buffer Overflow in setWiFiBasicConfig
A critical-severity stack buffer overflow tracked as CVE-2026-10187 has been disclosed in the Totolink N300RH wireless router. The vulnerability resides in the setWiFiBasicConfig function within the wireless.so component of the device's Web Management Interface. By manipulating the KeyStr argument, an attacker can trigger a stack-based buffer overflow, potentially leading to remote code execution (RCE).
The vulnerability was published on May 31, 2026, and carries a CVSS v3.1 score of 9.8 (Critical), reflecting its remote exploitability without authentication requirements.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-10187 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-121 — Stack-based Buffer Overflow |
| Affected Component | setWiFiBasicConfig in wireless.so |
| Vulnerable Parameter | KeyStr |
| Attack Vector | Network (Remote) |
| Authentication Required | None |
| Privileges Required | None |
| Primary Impact | Remote Code Execution / Denial of Service |
| Published | May 31, 2026 |
Affected Products
| Product | Firmware Version |
|---|---|
| Totolink N300RH | 6.1c.1353_B20190305 |
The Totolink N300RH is a consumer-grade wireless router. The affected firmware version (6.1c.1353_B20190305) appears to be an older release, and Totolink has not released a patch as of publication. Users of this device should check Totolink's official support channels for updated firmware.
Technical Details
Root Cause
The setWiFiBasicConfig function in wireless.so handles WiFi configuration requests via the router's Web Management Interface. The function processes the KeyStr parameter — which represents a WiFi password or WEP key string — without performing proper length validation before copying it into a fixed-size stack buffer.
When an attacker submits an overly long value for KeyStr, the function copies the oversized input directly onto the stack, overflowing the allocated buffer. This corrupts adjacent stack memory including return addresses and saved frame pointers.
Exploitation
Remote Exploitability
The Web Management Interface is typically accessible over the local network and, in many default configurations, may be reachable remotely if WAN management is enabled. The CVSS score of 9.8 reflects the assumption that the interface is network-accessible.
Stack Overflow Path
HTTP POST to WiFi config endpoint
→ setWiFiBasicConfig() in wireless.so
→ KeyStr parameter copied to stack buffer
→ No bounds checking performed
→ Stack buffer overflow triggered
→ Return address overwritten
→ Arbitrary code execution (as root)
Denial of Service
Even without a weaponized exploit, sending an oversized KeyStr value reliably crashes the router's web management process or causes a full device reboot, constituting a denial of service.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Potential full device takeover with root privileges |
| Denial of Service | Reliable device crash via oversized KeyStr |
| Network Integrity | Compromised router can intercept, reroute, or inspect all traffic |
| Lateral Movement | Router compromise enables network-level attacks on connected devices |
| Home/SMB Networks | Consumer routers rarely have additional compensating controls |
Remediation
Recommended Actions
- Check for firmware updates — Visit Totolink's official support page and upgrade to the latest available firmware for the N300RH
- Disable WAN management — Ensure the Web Management Interface is not accessible from the internet (disable remote management in router settings)
- Restrict management access — If possible, bind the management interface to specific trusted IP addresses or a dedicated management VLAN
- Consider device replacement — The N300RH 6.1c.1353_B20190305 firmware dates from 2019; devices running end-of-support firmware should be replaced
Temporary Mitigations
1. Admin Panel → Remote Management → Disable
2. Admin Panel → Firewall → Block external access to port 80/443
3. Change default admin credentials if not already done
4. Monitor router logs for unexpected configuration changes
Context: Router Vulnerabilities and Consumer Risk
Consumer and small business routers are among the most frequently targeted devices in threat actor campaigns. Compromised routers are used to:
- Intercept unencrypted traffic between devices and the internet
- Deploy botnet agents for DDoS campaigns
- Pivot into internal networks for further exploitation
- Redirect DNS to phishing or malware-serving infrastructure
Router firmware vulnerabilities are particularly dangerous because:
- Many users never apply firmware updates
- Vendor support for older hardware is often minimal or absent
- Administrative interfaces may be inadvertently exposed to the internet
- Routers run continuously with minimal monitoring
Key Takeaways
- CVE-2026-10187 is a CVSS 9.8 critical stack buffer overflow in the Totolink N300RH's WiFi configuration handler
- The flaw is remotely exploitable without authentication, making it trivially accessible to network attackers
- No official patch has been confirmed as of June 1, 2026 — users should monitor Totolink's advisory channels
- Immediate mitigations include disabling remote management and restricting admin interface access
- Organizations and home users running this device should prioritize replacement given the firmware's age and lack of ongoing support