CVE-2026-4227

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4227 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Lb-Link Bl-Wr9000 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates inputs to the vulnerable /goform/get_hidessid_cfg endpoint, preventing buffer overflow exploitation in sub_44D844.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries, ASLR, and DEP to mitigate buffer overflow vulnerabilities like CWE-119 in the affected function.

SI-2 Flaw Remediation partial match

preventdetect

Requires monitoring for publicly disclosed flaws like CVE-2026-4227 and remediating via patching, isolation, or replacement since no vendor fix is available.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Buffer overflow in the router's web management interface (/goform/get_hidessid_cfg) enables remote exploitation by authenticated low-privilege users for arbitrary code execution, directly mapping to public-facing application exploitation (T1190), remote services exploitation (T1210), and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A security vulnerability has been detected in LB-LINK BL-WR9000 2.4.9. The impacted element is the function sub_44D844 of the file /goform/get_hidessid_cfg. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed…

publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-4227 is a buffer overflow vulnerability affecting the LB-LINK BL-WR9000 router running firmware version 2.4.9. The issue resides in the function sub_44D844 within the file /goform/get_hidessid_cfg, which handles Hide SSID configuration requests. This flaw, associated with CWE-119, CWE-120, and CWE-125, allows improper memory operations that can be triggered remotely. The vulnerability was published on 2026-03-16 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with network access and low privileges, such as authenticated users on the device, can exploit this vulnerability remotely without user interaction. By manipulating requests to the affected endpoint, adversaries can trigger the buffer overflow, potentially leading to arbitrary code execution, data corruption, or denial of service. The high confidentiality, integrity, and availability impacts suggest successful exploitation could grant full control over the device.

Advisories from VulDB and a public GitHub disclosure detail the vulnerability but note no response from the vendor despite early notification. No patches or mitigations are available from LB-LINK, leaving affected devices exposed. Security practitioners should isolate or replace vulnerable routers, monitor for anomalous traffic to the /goform/get_hidessid_cfg endpoint, and apply network segmentation.

The exploit has been publicly disclosed and may be actively used, increasing the risk for unpatched LB-LINK BL-WR9000 deployments in home or small office environments.

Details

CWE(s): CWE-119 CWE-120 CWE-125

Affected Products

lb-link

bl-wr9000 firmware

2.4.9

CVEs Like This One

CVE-2026-4226Same product: Lb-Link Bl-Wr9000

CVE-2026-4228Same product: Lb-Link Bl-Wr9000

CVE-2025-10773Same vendor: Lb-Link

CVE-2025-1608Same vendor: Lb-Link

CVE-2025-1610Same vendor: Lb-Link

CVE-2025-9580Same vendor: Lb-Link

CVE-2025-1609Same vendor: Lb-Link

CVE-2025-11653Shared CWE-119, CWE-120

CVE-2026-4976Shared CWE-119, CWE-120

CVE-2025-15431Shared CWE-119, CWE-120

References

https://github.com/glkfc/IoT-Vulnerability/blob/main/LB-LINK/LB-LINK_HideSSID%20stack%20overflow_EN.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.351150
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.351150
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.771209
Third Party Advisory, VDB Entry · cna@vuldb.com