CVE-2026-10259
Description
A stack-based buffer overflow in H3C Magic B0 routers (<=100R002) via SetMobileAPInfoById in /goform/aspForm enables remote denial of service or code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in H3C Magic B0 routers (<=100R002) via SetMobileAPInfoById in /goform/aspForm enables remote denial of service or code execution.
Vulnerability
A stack-based buffer overflow vulnerability exists in H3C Magic B0 routers running firmware version Magic B0<=100R002 [1]. The bug resides in the function SetMobileAPInfoById inside the file /goform/aspForm [1]. The param argument is copied into a stack buffer without any length check, allowing a crafted HTTP POST request to overflow the buffer [1].
Exploitation
An unauthenticated attacker with network access to the router can send a crafted POST request to /goform/aspForm with a long param value while specifying CMD=SetMobileAPInfoById [1]. A public proof-of-concept has been released that demonstrates the overflow [1]. No user interaction beyond sending the HTTP request is required.
Impact
Successful exploitation causes a stack-based buffer overflow, which can lead to a denial of service (crash) or remote code execution on the device [1]. The attacker gains the ability to execute arbitrary code at the privilege level of the vulnerable process, likely resulting in full compromise of the router.
Mitigation
No official fix has been released. The vendor (New H3C Technologies Co., Ltd.) was contacted but did not respond [1]. Users are advised to isolate affected routers from untrusted networks or replace them if possible. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation when copying the `param` argument in `SetMobileAPInfoById` leads to a stack-based buffer overflow."
Attack vector
An attacker sends a crafted POST request to `/goform/aspForm` with `CMD=SetMobileAPInfoById` and an overly long `param` value. The request can be made remotely over the network, and the attacker must already have a valid session (as indicated by the `Cookie` header in the PoC). The overflow can cause denial of service or potentially remote code execution.
Affected code
The vulnerability resides in the function `SetMobileAPInfoById` within the file `/goform/aspForm` on H3C Magic B0 routers (firmware version ≤ 100R002). The `param` argument is copied without a length limit, leading to a stack-based buffer overflow.
What the fix does
The advisory does not include a patch. The vendor was contacted but did not respond. To remediate, the vendor should implement proper bounds checking on the `param` input before copying it into a fixed-size stack buffer, preventing the buffer overflow.
Preconditions
- networkAttacker must be able to send HTTP requests to the router's management interface.
- authAttacker must have a valid session cookie (authenticated session).
Reproduction
Send a POST request to `/goform/aspForm` with `CMD=SetMobileAPInfoById` and a `param` value consisting of many 'a' characters (as shown in the PoC). The router will crash or behave unexpectedly due to the stack buffer overflow.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.