CVE-2026-4861
Published: 26 March 2026
Summary
CVE-2026-4861 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wavlink Wl-Nu516U1 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates manipulated inputs like Content-Length in the nas.cgi ftext function to prevent stack-based buffer overflows.
Implements memory protection safeguards such as stack canaries or DEP to block unauthorized code execution from buffer overflow exploits.
Requires identification and timely remediation of the known stack buffer overflow flaw in the Wavlink device firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing /cgi-bin/nas.cgi (Content-Length) yields remote unauthenticated-to-root or low-priv-to-root RCE; directly maps to T1190 for the network-exposed service and T1068 for the privilege-escalation outcome given PR:L + full C/I/A impact.
NVD Description
A weakness has been identified in Wavlink WL-NU516U1 260227. This vulnerability affects the function ftext of the file /cgi-bin/nas.cgi. This manipulation of the argument Content-Length causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made…
more
available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4861 is a stack-based buffer overflow vulnerability affecting the Wavlink WL-NU516U1 device with firmware version 260227. The flaw resides in the ftext function of the /cgi-bin/nas.cgi component and is triggered by manipulation of the Content-Length argument. Published on 2026-03-26, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and 121 (Stack-based Buffer Overflow).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and without requiring user interaction. Exploitation leads to high impacts on confidentiality, integrity, and availability, enabling potential arbitrary code execution on the affected device.
Advisories from VulDB indicate that the vendor was contacted early regarding this issue but provided no response or patches. A public exploit is available in a GitHub repository detailing the Content-Length manipulation, along with VulDB entries documenting the vulnerability (ctiid.353192, id.353192, submit.776217). Security practitioners should isolate affected devices and monitor for exploitation attempts until vendor remediation is available.
Details
- CWE(s)