CVE-2026-10165: Edimax BR-6478AC Buffer Overflow Flaw

CVE-2026-10165 Overview

CVE-2026-10165 is a stack-based buffer overflow vulnerability in the Edimax BR-6478AC wireless router running firmware version 1.23. The flaw resides in the formWanTcpipSetup function handling POST requests to /goform/formWanTcpipSetup. Attackers can trigger the overflow by manipulating the pppUserName argument supplied to the request handler. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer) and can be exploited remotely. A public exploit is referenced in the VulDB advisory, increasing the likelihood of opportunistic abuse against exposed devices.

Critical Impact

Remote attackers with low privileges can corrupt the stack of the router's web management daemon, potentially achieving arbitrary code execution and full device takeover.

Affected Products

• Edimax BR-6478AC firmware version 1.23
• Component: POST Request Handler (/goform/formWanTcpipSetup)
• Vulnerable function: formWanTcpipSetup

Discovery Timeline

• 2026-05-31 - CVE-2026-10165 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10165

Vulnerability Analysis

The Edimax BR-6478AC exposes a web administration interface that processes WAN configuration changes through the formWanTcpipSetup handler. The handler reads the pppUserName parameter from incoming POST requests without enforcing a length boundary before copying the value into a fixed-size stack buffer. Sending an oversized pppUserName value overruns the buffer and corrupts adjacent stack memory, including the saved return address.

Because the request handler runs as part of the router's privileged web server process, successful exploitation can lead to arbitrary code execution on the device. An attacker who controls the device can pivot into the internal network, intercept traffic, alter DNS settings, or deploy persistent malware on the router.

Root Cause

The root cause is the absence of bounds checking on attacker-controlled input during a stack copy operation. The formWanTcpipSetup function trusts the size of the pppUserName value provided by the client and uses an unsafe string copy into a finite local buffer. This matches the [CWE-119] pattern of failing to restrict operations within memory buffer bounds.

Attack Vector

Exploitation requires network access to the router's HTTP management interface and authenticated access at low privilege. The attacker sends a crafted POST request to /goform/formWanTcpipSetup containing an overlong pppUserName field. No user interaction is required. Public exploit material is referenced in the VulDB advisory and an accompanying technical writeup.

No verified exploitation code is reproduced here. Refer to the linked references for technical details of the proof of concept.

Detection Methods for CVE-2026-10165

Indicators of Compromise

• POST requests to /goform/formWanTcpipSetup containing abnormally long pppUserName parameter values
• Unexpected reboots or crashes of the Edimax BR-6478AC web management daemon
• Outbound connections from the router to unfamiliar IP addresses, indicating possible post-exploitation activity
• Unauthorized changes to WAN, DNS, or PPP configuration settings on the device

Detection Strategies

• Inspect HTTP traffic to the router's management interface and alert on POST payloads to /goform/formWanTcpipSetup exceeding expected parameter lengths
• Deploy network intrusion detection signatures targeting buffer overflow patterns in pppUserName form fields
• Correlate authentication events on the router with subsequent configuration changes to identify abuse of low-privilege accounts

Monitoring Recommendations

• Restrict access to the router's web administration interface to trusted management VLANs and monitor all access attempts
• Log and review all configuration changes on edge networking equipment through a centralized syslog collector
• Baseline normal router process and network behavior to flag anomalies consistent with post-exploitation activity

How to Mitigate CVE-2026-10165

Immediate Actions Required

• Disable remote (WAN-side) administration on the Edimax BR-6478AC if it is enabled
• Limit LAN-side access to the management interface to a dedicated administrator subnet or specific MAC addresses
• Rotate all router administrator credentials to prevent reuse of low-privilege accounts that could be leveraged for exploitation
• Inventory affected devices and consider replacement if no firmware update is available from the vendor

Patch Information

At the time of publication, no vendor advisory or patched firmware release is referenced in the available CVE data for the Edimax BR-6478AC running version 1.23. Administrators should monitor the Edimax support site for firmware updates addressing the formWanTcpipSetup handler. Until a fix is available, network-level controls remain the primary mitigation.

Workarounds

• Block external access to TCP ports used by the router's HTTP and HTTPS administration interfaces at the upstream firewall
• Place the router behind a network segment that restricts administrative access to trusted hosts only
• Where feasible, replace affected end-of-support hardware with current models that receive active security maintenance

# Example iptables rule to restrict router admin access to a trusted host
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP