Cve-2026-9479 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-9479/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 26 May 2026 14:39:49 +0000Edimax EW-7438RPn Stack-Based Buffer Overflow Vulnerability (CVE-2026-9479)https://feed.craftedsignal.io/briefs/2026-05-edimax-buffer-overflow/Tue, 26 May 2026 14:39:49 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-edimax-buffer-overflow/A stack-based buffer overflow vulnerability (CVE-2026-9479) exists in the formLogout function of the /goform/formLogout file in Edimax EW-7438RPn 1.31, triggered by manipulating the submit-url argument, allowing remote attackers to execute arbitrary code.A stack-based buffer overflow vulnerability, tracked as CVE-2026-9479, has been identified in Edimax EW-7438RPn version 1.31. The vulnerability resides within the formLogout function of the /goform/formLogout file. By manipulating the submit-url argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists for this vulnerability. The vendor was notified but did not respond to the disclosure. This vulnerability poses a significant risk to devices exposed to untrusted networks.

Attack Chain

  1. Attacker identifies an Edimax EW-7438RPn device running firmware version 1.31.
  2. Attacker crafts a malicious HTTP request targeting the /goform/formLogout endpoint.
  3. The crafted request includes a submit-url argument with a string exceeding the buffer’s capacity.
  4. The formLogout function processes the submit-url argument without proper bounds checking.
  5. The excessive data overwrites memory on the stack, including the return address.
  6. The function attempts to return, but the overwritten return address redirects execution to attacker-controlled code.
  7. Attacker gains arbitrary code execution on the device.
  8. Attacker leverages code execution to establish persistence or further compromise the network.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Edimax EW-7438RPn device. This could lead to a complete compromise of the device, including data exfiltration, modification of device settings, or use of the device as a bot in a larger attack. Given the lack of vendor response, affected devices remain vulnerable.

Recommendation

  • Monitor web server logs for POST requests to /goform/formLogout with abnormally long submit-url parameters using the Sigma rule provided below.
  • Implement web application firewall (WAF) rules to block requests containing excessively long submit-url parameters to /goform/formLogout.
  • Since the vendor has not provided a patch, consider replacing the affected Edimax EW-7438RPn devices.
]]>criticalthreatcve-2026-9479buffer-overflowweb-application