Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10126

CVE-2026-10126: Edimax BR-6478AC Buffer Overflow Flaw

CVE-2026-10126 is a buffer overflow vulnerability in Edimax BR-6478AC routers that allows remote attackers to exploit the formQoS function. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-10126 Overview

CVE-2026-10126 is a buffer overflow vulnerability in the Edimax BR-6478AC wireless router running firmware version 1.23. The flaw resides in the formQoS function within the /goform/formQoS endpoint of the POST request handler. An attacker can manipulate the selSSID parameter to trigger memory corruption. The vulnerability is exploitable over the network and a public exploit has been released, increasing the likelihood of opportunistic attacks against exposed devices. The weakness is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Remote attackers with low-privileged access can corrupt memory on affected Edimax BR-6478AC routers, leading to potential code execution or device compromise.

Affected Products

  • Edimax BR-6478AC firmware version 1.23
  • Component: POST Request Handler (/goform/formQoS)
  • Vulnerable function: formQoS (argument selSSID)

Discovery Timeline

  • 2026-05-30 - CVE-2026-10126 published to NVD
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10126

Vulnerability Analysis

The vulnerability exists in the formQoS handler exposed by the router's embedded web management interface at /goform/formQoS. When the device processes a POST request, it reads the selSSID argument without enforcing proper length validation before copying the value into a fixed-size buffer. An oversized selSSID value overflows the destination buffer and corrupts adjacent memory regions on the router's CGI process stack or heap.

The attack requires network access to the management interface and a low-privileged authenticated session. Successful exploitation can crash the HTTP daemon, leading to denial of service, or be weaponized for arbitrary code execution on the embedded MIPS or ARM platform that powers the device.

Root Cause

The root cause is missing bounds checking on the selSSID parameter inside the formQoS function. The handler trusts user-supplied input length and writes the value into a buffer sized for typical SSID strings. This pattern is consistent with [CWE-119] memory boundary violations that are common in legacy SOHO router firmware compiled without modern stack protections.

Attack Vector

An attacker reaches the router's HTTP administration interface and submits a crafted POST request to /goform/formQoS containing an oversized selSSID field. Because the exploit has been published, threat actors can adapt the payload to deliver shellcode tailored to the device architecture. Internet-exposed management interfaces or compromised internal hosts that can reach the LAN-side admin page are the primary exposure paths.

Detailed technical analysis is available in the EDIMAX BR6478ACV2 formQoS research notes and the VulDB entry #367303.

Detection Methods for CVE-2026-10126

Indicators of Compromise

  • POST requests to /goform/formQoS containing abnormally long selSSID values
  • Unexpected reboots or HTTP daemon crashes on the BR-6478AC router
  • Configuration changes to QoS settings that do not match administrator activity
  • Outbound connections from the router to unfamiliar external hosts

Detection Strategies

  • Inspect web server and management interface logs for requests targeting /goform/formQoS with payloads exceeding expected parameter lengths
  • Deploy network IDS rules that flag HTTP POST bodies with oversized selSSID values directed at router management IPs
  • Baseline router firmware integrity and alert on unauthorized configuration writes

Monitoring Recommendations

  • Forward router syslog output to a centralized logging platform and alert on repeated crashes of the httpd or CGI processes
  • Monitor for management interface access originating from non-administrative network segments
  • Track DNS and outbound traffic from the router itself, since compromised SOHO devices often pivot to external command-and-control hosts

How to Mitigate CVE-2026-10126

Immediate Actions Required

  • Restrict access to the router's web management interface to trusted administrative hosts only and disable WAN-side administration
  • Audit BR-6478AC devices in your environment for firmware version 1.23 and isolate them from sensitive network segments
  • Rotate administrative credentials on the affected routers to limit reuse of low-privileged sessions

Patch Information

No vendor patch has been published in the referenced advisories at the time of NVD publication. Consult Edimax support channels for firmware updates beyond version 1.23 and review the VulDB submission #818454 and VulDB CTI for #367303 for vendor coordination status.

Workarounds

  • Disable remote management on the WAN interface and place the router's LAN admin page behind a management VLAN
  • Apply firewall ACLs that block POST requests to /goform/formQoS from untrusted sources
  • Replace end-of-life BR-6478AC units with supported hardware if the vendor does not release a fixed firmware build
bash
# Example iptables rule restricting access to the router admin interface
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne