Stack-based Buffer Overflow in Yealink SIP-T46U Firmware Chunk Upload Handler

Successful exploitation can result in severe compromise of the affected device, consistent with arbitrary memory corruption from a stack-based buffer overflow. Based on the provided CVSS assessments, the expected impact includes high confidentiality, integrity, and availability impact. In practical terms, exploitation may enable code execution in the context of the vulnerable service, device takeover, denial of service, or other undefined behavior depending on exploit reliability and runtime protections.

Restrict access to the affected device's management and upgrade interfaces, especially /api/upgrade/upgrade, to trusted administrative hosts only. Prevent exposure of the interface beyond the required management network, segment voice infrastructure from untrusted internal networks, and apply ACLs or firewall rules to limit adjacent-network reachability. Disable or tightly control firmware upgrade functionality where operationally feasible, and monitor for suspicious requests targeting firmware chunk upload parameters such as uid and start_offset. Given that a public exploit reportedly exists, prioritize compensating controls until a vendor fix is available.

Upgrade to a vendor-fixed firmware release if and when Yealink publishes one for SIP-T46U. Because the provided content identifies the affected version as 108.86.0.118 but does not specify a patched version, the exact fixed release is currently not available. If no patch is available, engage the vendor for an official remediation path and track subsequent advisories.