CVE-2026-2329

Published Feb 18, 2026

Last updated 3 months ago

CVSS critical 9.3
API
Firmware
HTTP

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-2329 is an unauthenticated stack-based buffer overflow vulnerability affecting the HTTP API endpoint `/cgi-bin/api.values.get` in Grandstream GXP1600 series VoIP phones. This flaw, categorized as CWE-121, impacts several models including GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630. The vulnerability allows a remote attacker to send specially crafted HTTP requests to the specified endpoint without needing authentication or user interaction. The issue stems from the device's web-based API service failing to perform a length check when appending data to a 64-byte buffer on the stack. This oversight enables an attacker to overflow the buffer, corrupting adjacent stack memory and leading to unauthenticated remote code execution with root privileges on the vulnerable device.

Description
An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.
Source
cve@rapid7.com
NVD status
Analyzed
Products
gxp1610_firmware, gxp1615_firmware, gxp1620_firmware, gxp1625_firmware, gxp1628_firmware, gxp1630_firmware

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

cve@rapid7.com
CWE-121

Social media

Hype score
Not currently trending

  1. ペネトレーションテストツールのMetasploitが更新。Linux向けRC4パッカー、OllamaのCVE-2024-37032、BeyondTrustのCVE-2026-1731、GrandstreamのCVE-2026-2329に対応する攻撃コード、Windows向け永続化の追加。 https://t.co/GiidCAOHcs

    @__kokumoto

    28 Feb 2026

    1962 Impressions

    5 Retweets

    36 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5.CVE-2026-7776
  2. A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.CVE-2026-7738
  3. In the Linux kernel, the following vulnerability has been resolved: comedi: me_daq: Fix potential overrun of firmware buffer `me2600_xilinx_download()` loads the firmware that was requested by `request_firmware()`. It is possible for it to overrun the source buffer because it blindly trusts the file format. It reads a data stream length from the first 4 bytes into variable `file_length` and reads the data stream contents of length `file_length` from offset 16 onwards. Although it checks that the supplied firmware is at least 16 bytes long, it does not check that it is long enough to contain the data stream. Add a test to ensure that the supplied firmware is long enough to contain the header and the data stream. On failure, log an error and return `-EINVAL`.CVE-2026-31748
  4. Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.CVE-2024-54011
  5. A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host and does not verify user privileges, integrity of uploaded images, or the authenticity of provided firmware.CVE-2026-25775

References

Sources include official advisories and independent security research.