CVE-2022-1511: 
PHP vulnerability analysis and mitigation

A memory corruption vulnerability was discovered in the httpd unescape functionality of Asuswrt prior to version 3.0.0.4.38648706 and Asuswrt-Merlin New Gen prior to version 386.7. The vulnerability, tracked as CVE-2022-26376, was discovered by Francesco Benvenuto of Cisco Talos and publicly disclosed on July 27, 2022 ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2022-1511), Talos Blog).

The vulnerability exists in the httpd component's cgi.c file, specifically in the unescape function. The function incorrectly assumes that after a '%' character there are always two characters present in URL-encoded strings. This assumption can lead to an out-of-bounds read when processing malformed input, and in subsequent iterations, could cause an out-of-bounds write by removing the null terminator. The vulnerability received a CVSSv3 score of 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and is classified as CWE-787 (Out-of-bounds Write) (Talos Report).

When exploited, this vulnerability can lead to memory corruption through specially-crafted HTTP requests. The vulnerability affects both the official Asuswrt firmware and the Asuswrt-Merlin New Gen open-source firmware alternative for Asus wireless routers, as well as ASUSWRT, the company's user interface software for managing Asus devices (Talos Blog).

The vulnerability has been patched in Asuswrt version 3.0.0.4.38648706 and later, and in Asuswrt-Merlin New Gen version 386.7 and later. Users are advised to update their router firmware to the latest available version that includes these fixes ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2022-1511)).