CVE-2026-10164: Edimax BR-6478AC Buffer Overflow Flaw

CVE-2026-10164 Overview

CVE-2026-10164 is a buffer overflow vulnerability in the Edimax BR-6478AC wireless router running firmware version 1.23. The flaw resides in the formUSBFolder function handled by /goform/formUSBFolder within the POST request handler component. Attackers can trigger the overflow by manipulating the ShareName or SelectName arguments. The issue is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). The exploit details have been disclosed publicly, increasing the risk of opportunistic targeting against exposed devices.

Critical Impact
Remote authenticated attackers can corrupt memory on the router, potentially leading to device compromise, persistent network foothold, and disruption of network availability.

Affected Products

Edimax BR-6478AC firmware version 1.23
Edimax BR-6478AC V2 (referenced in vulnerability submission)
Devices exposing the /goform/formUSBFolder endpoint over the network

Discovery Timeline

2026-05-31 - CVE-2026-10164 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10164

Vulnerability Analysis

The vulnerability exists within the formUSBFolder handler responsible for processing USB share configuration on the Edimax BR-6478AC router. When a POST request is sent to /goform/formUSBFolder, the handler reads the ShareName and SelectName parameters supplied by the client. The function copies these values into fixed-size memory buffers without validating their length, producing a classic buffer overflow condition. An attacker with network access and low-privilege credentials can craft an oversized payload that overwrites adjacent memory. Successful exploitation can corrupt control structures and cause arbitrary code execution paths inside the router's web management process.

Root Cause

The root cause is the absence of bounds checking on user-controlled input within the formUSBFolder function. The handler trusts the length of ShareName and SelectName rather than enforcing the destination buffer size. This corresponds to [CWE-119], where operations on memory occur outside the intended buffer boundaries. Embedded firmware components frequently rely on unbounded string copy routines, which makes this defect a recurring pattern in consumer-grade router firmware.

Attack Vector

The attack vector is network-based and requires low privileges on the device's web interface. An attacker sends a crafted POST request to /goform/formUSBFolder containing an oversized ShareName or SelectName parameter. Because the issue affects the router's HTTP management interface, exposure increases significantly when remote administration is enabled or when the device is reachable from segmented internal networks. Public exploit information is referenced through VulDB Vulnerability Details and the Notion Document on EDIMAX.

No verified proof-of-concept code is reproduced here. See the referenced advisories for technical reproduction details.

Detection Methods for CVE-2026-10164

Indicators of Compromise

POST requests to /goform/formUSBFolder containing abnormally long ShareName or SelectName values
Unexpected reboots or crashes of the router's HTTP management daemon
Unauthorized changes to USB share configuration on the device
Outbound connections from the router to unknown infrastructure following management interface access

Detection Strategies

Inspect HTTP traffic to the router management interface for oversized form parameters exceeding typical share name lengths
Monitor authentication logs for low-privilege accounts issuing POST requests to USB configuration endpoints
Alert on repeated requests to /goform/formUSBFolder from a single source within short time windows

Monitoring Recommendations

Forward router syslog data to a centralized logging platform for retention and correlation
Baseline normal administrative activity to identify deviations in request size and frequency
Track firmware version inventory across deployed Edimax devices to identify unpatched units

How to Mitigate CVE-2026-10164

Immediate Actions Required

Disable remote management on Edimax BR-6478AC devices and restrict the web interface to trusted management networks
Rotate administrative credentials for the router to limit reuse by attackers leveraging the public exploit
Segment routers from sensitive internal assets to limit pivot opportunities if a device is compromised
Audit devices for unexpected configuration changes to USB share settings

Patch Information

At the time of publication, no vendor advisory or firmware patch is referenced in the NVD entry. Administrators should monitor the VulDB Vulnerability Details page and Edimax support channels for an official fix. Until a patched firmware release is available, compensating controls must be applied.

Workarounds

Block external access to the router's HTTP management interface at the perimeter firewall
Disable the USB sharing functionality if it is not required in the deployment
Restrict management interface access to a dedicated VLAN reachable only by administrative workstations
Replace end-of-life Edimax BR-6478AC units with actively supported hardware where a fix is unlikely to be issued

bash

# Example: restrict router management interface to a trusted subnet using upstream firewall rules
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s 10.0.10.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP