CVE-2026-4227

CVE-2026-4227 is a buffer overflow vulnerability affecting the LB-LINK BL-WR9000 router running firmware version 2.4.9. The issue resides in the function sub_44D844 within the file /goform/get_hidessid_cfg, which handles Hide SSID configuration requests. This flaw, associated with CWE-119, CWE-120, and CWE-125, allows improper memory operations that can be triggered remotely. The vulnerability was published on 2026-03-16 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with network access and low privileges, such as authenticated users on the device, can exploit this vulnerability remotely without user interaction. By manipulating requests to the affected endpoint, adversaries can trigger the buffer overflow, potentially leading to arbitrary code execution, data corruption, or denial of service. The high confidentiality, integrity, and availability impacts suggest successful exploitation could grant full control over the device.

Advisories from VulDB and a public GitHub disclosure detail the vulnerability but note no response from the vendor despite early notification. No patches or mitigations are available from LB-LINK, leaving affected devices exposed. Security practitioners should isolate or replace vulnerable routers, monitor for anomalous traffic to the /goform/get_hidessid_cfg endpoint, and apply network segmentation.

The exploit has been publicly disclosed and may be actively used, increasing the risk for unpatched LB-LINK BL-WR9000 deployments in home or small office environments.