Cyber Resilience

CVE-2026-4226

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0069 48.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4226 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Lb-Link Bl-Wr9000 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4226 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121, CWE-787) affecting the LB-LINK BL-WR9000 router on firmware version 2.4.9. The flaw exists in the function sub_44E8D0 within the /goform/get_virtual_cfg file, where improper input handling allows overflow during remote execution.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 8.8, and a public exploit is available, enabling potential remote code execution or device compromise.

Advisories from VulDB and a GitHub repository detail the issue but note that the vendor was contacted early about the disclosure and provided no response. No official patches or mitigations are available from the vendor, leaving affected devices exposed.

EU & UK References

Vulnerability details

A weakness has been identified in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a manipulation can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been…

more

made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in router's web management interface (/goform/) enables remote code execution on a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4227Same product: Lb-Link Bl-Wr9000
CVE-2026-4228Same product: Lb-Link Bl-Wr9000
CVE-2025-10773Same vendor: Lb-Link
CVE-2026-4961Shared CWE-119, CWE-121
CVE-2026-5212Shared CWE-119, CWE-121
CVE-2026-5211Shared CWE-119, CWE-121
CVE-2025-1608Same vendor: Lb-Link
CVE-2026-5044Shared CWE-119, CWE-121
CVE-2025-9748Shared CWE-119, CWE-121
CVE-2026-4960Shared CWE-119, CWE-121

Affected Assets

lb-link
bl-wr9000 firmware
2.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of remote inputs to the vulnerable /goform/get_virtual_cfg function, directly preventing stack-based buffer overflows from malicious payloads.

prevent

Implements memory safeguards like stack canaries and non-executable memory to block exploitation of the stack-based buffer overflow for remote code execution.

prevent

Requires timely identification, reporting, and remediation of the specific buffer overflow flaw in LB-LINK BL-WR9000 firmware version 2.4.9.

References