CVE-2026-10163 Overview
CVE-2026-10163 is a buffer overflow vulnerability in the Edimax BR-6478AC wireless router running firmware version 1.23. The flaw resides in the formUSBAccount function located at /goform/formUSBAccount, which handles POST requests for USB account configuration. Attackers can trigger the overflow by manipulating the UserName or Password parameters. The vulnerability is remotely exploitable over the network and requires only low-level privileges. The exploit has been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed devices. The issue is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Remote attackers with low privileges can corrupt memory on affected Edimax BR-6478AC routers, potentially leading to denial of service or arbitrary code execution on the device.
Affected Products
- Edimax BR-6478AC firmware version 1.23
- Component: POST Request Handler (/goform/formUSBAccount)
- Vulnerable function: formUSBAccount
Discovery Timeline
- 2026-05-31 - CVE-2026-10163 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10163
Vulnerability Analysis
The vulnerability exists in the formUSBAccount handler that processes POST requests to /goform/formUSBAccount on the Edimax BR-6478AC router. The handler accepts user-supplied UserName and Password arguments without enforcing proper length validation. When oversized values are submitted, the function writes beyond the allocated buffer boundary, corrupting adjacent memory regions. This memory corruption pattern aligns with [CWE-119] and can be leveraged for control-flow hijacking on embedded MIPS or ARM router firmware.
The device exposes the endpoint through its web administration interface, which typically runs on the router's LAN side but may be reachable from the WAN if remote management is enabled. Because the exploit has been disclosed publicly, defenders should assume working proof-of-concept code is available.
Root Cause
The root cause is missing or insufficient bounds checking in the formUSBAccount function before copying the UserName and Password POST parameters into fixed-size stack or heap buffers. Embedded router firmware frequently uses unsafe C string functions such as strcpy or sprintf without length validation, which produces this class of flaw.
Attack Vector
An authenticated attacker sends a crafted HTTP POST request to /goform/formUSBAccount containing oversized UserName or Password field values. The attack vector is network-based and does not require user interaction. Successful exploitation can crash the HTTP daemon, reboot the device, or in advanced scenarios, execute attacker-controlled code with the privileges of the web management process. Technical analysis is published in the Notion writeup on EDIMAX BR6478ACV2 formUSBAccount and the VulDB entry #367416.
No verified proof-of-concept code is reproduced here. Refer to the linked advisories for technical details.
Detection Methods for CVE-2026-10163
Indicators of Compromise
- Unexpected reboots or crashes of the Edimax BR-6478AC web management daemon
- HTTP POST requests to /goform/formUSBAccount containing abnormally long UserName or Password parameter values
- Loss of management interface availability following a POST request from an untrusted source
- New or unexpected USB account entries appearing in router configuration
Detection Strategies
- Inspect HTTP traffic destined for router management interfaces for POST requests targeting /goform/formUSBAccount with field lengths exceeding reasonable thresholds
- Deploy network intrusion detection signatures that flag oversized form parameters against known embedded device endpoints
- Correlate router crash events with preceding HTTP POST activity from internal hosts or WAN sources
Monitoring Recommendations
- Forward router syslog data to a centralized logging platform and alert on repeated httpd process restarts
- Monitor for unauthorized access attempts to the router administration interface from non-management subnets
- Track outbound connections from the router itself, which may indicate post-exploitation command-and-control activity
How to Mitigate CVE-2026-10163
Immediate Actions Required
- Disable remote (WAN-side) management on the Edimax BR-6478AC until a vendor patch is available
- Restrict access to the router web administration interface to a dedicated management VLAN or trusted hosts only
- Rotate administrative credentials for the device to limit the value of leaked low-privilege accounts
- Audit router logs and configuration for unauthorized USB account entries or unexpected changes
Patch Information
No vendor patch has been referenced in the published advisory at the time of disclosure. Administrators should monitor the Edimax support portal for firmware updates addressing the formUSBAccount function and apply them immediately once released. Consult the VulDB vulnerability record #367416 for ongoing updates.
Workarounds
- Place the router behind an upstream firewall that blocks unsolicited inbound HTTP and HTTPS traffic to the management interface
- Disable the USB sharing feature if it is not required, reducing exposure of the formUSBAccount code path
- Replace end-of-life or unsupported Edimax BR-6478AC devices with currently supported hardware that receives security updates
# Example: block external access to the router management interface using iptables on an upstream firewall
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -m iprange ! --src-range 10.0.0.0-10.0.0.255 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -m iprange ! --src-range 10.0.0.0-10.0.0.255 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
