CVE-2022-26376

A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
talosCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
asusasuswrt
𝑥
< 3.0.0.4.386_48706
asuswrt-merlinnew_gen
𝑥
< 386.7
asusxt8_firmware
𝑥
< 3.0.0.4.386_48706
asustuf-ax3000_v2_firmware
𝑥
< 3.0.0.4.386_48750
asusxd4_firmware
𝑥
< 3.0.0.4.386_48790
asuset12_firmware
𝑥
< 3.0.0.4.386_48823
asusgt-ax6000_firmware
𝑥
< 3.0.0.4.386_48823
asusxt12_firmware
𝑥
< 3.0.0.4.386_48823
asusrt-ax58u_firmware
𝑥
< 3.0.0.4.386_48908
asusxt9_firmware
𝑥
< 3.0.0.4.388_20027
asusxd6_firmware
𝑥
< 3.0.0.4.386_49356
asusgt-ax11000_pro_firmware
𝑥
< 3.0.0.4.386_48996
asusgt-axe16000_firmware
𝑥
< 3.0.0.4.386_48786
asusrt-ax86u_firmware
𝑥
< 3.0.0.4.386_49447
asusrt-ax68u_firmware
𝑥
< 3.0.0.4.386_49479
asusrt-ax82u_firmware
𝑥
< 3.0.0.4.386_49380
asusrt-ax56u_firmware
𝑥
< 3.0.0.4.386_49559
asusrt-ax55_firmware
𝑥
< 3.0.0.4.386_49559
asusgt-ax11000_firmware
𝑥
< 3.0.0.4.386_49559
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511