CVE-2026-4226

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a manipulation can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been…

made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Enforces validation of remote inputs to the vulnerable /goform/get_virtual_cfg function, directly preventing stack-based buffer overflows from malicious payloads.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like stack canaries and non-executable memory to block exploitation of the stack-based buffer overflow for remote code execution.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of the specific buffer overflow flaw in LB-LINK BL-WR9000 firmware version 2.4.9.

Security SummaryAI

CVE-2026-4226 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121, CWE-787) affecting the LB-LINK BL-WR9000 router on firmware version 2.4.9. The flaw exists in the function sub_44E8D0 within the /goform/get_virtual_cfg file, where improper input handling allows overflow during remote execution.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 8.8, and a public exploit is available, enabling potential remote code execution or device compromise.

Advisories from VulDB and a GitHub repository detail the issue but note that the vendor was contacted early about the disclosure and provided no response. No official patches or mitigations are available from the vendor, leaving affected devices exposed.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

lb-link

bl-wr9000 firmware

2.4.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow in router's web management interface (/goform/) enables remote code execution on a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_VirtualRules%20stack%20overflow_EN.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.351149
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351149
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.771207
Third Party Advisory, VDB Entry · cna@vuldb.com