Heap-based buffer overflow
Remote Code execution
TP-Link
- Archer AX21(US)_V3_1.1.4 Build 20230219
- Archer AX21(US)_V3.6_1.1.4 Build 20230219
/usr/lib/libtmpv2.so
In the picture below, variable content_length is used to indicate the length of content of TMP packet and it can be controlled by an attacker.
Then, the process will receive another content_length bytes into buffer v7, but the size of v7 is smaller than the maximun value of content_length which can lead to buffer overflow.

- Archer AX21(US)_V3.6_230621
- Archer AX21(US)_V3_230621
Since this vulnerability can lead to remote code execution on LAN side, please update the firmware as soon as possible.
https://www.tp-link.com/us/support/download/archer-ax21/#Firmware
Reported by Xiaobye, working with DEVCORE Internship Program