Edimax EW-7438RPn formAccept stack-based overflow
Description
A weakness has been identified in Edimax EW-7438RPn 1.31. This impacts the function formAccept of the file /goform/formAccept. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Edimax EW-7438RPn 1.31 formAccept function allows remote attackers to crash the device or execute arbitrary code.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formAccept function of the /goform/formAccept endpoint in Edimax EW-7438RPn firmware version 1.31. The submit-url parameter is copied directly into a stack buffer without any length validation, allowing an attacker to overwrite the return address and adjacent memory [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to /goform/formAccept with an excessively long submit-url value. The PoC demonstrates a request with a string of over 1600 'a' characters, which causes the device to crash [1]. No special privileges or user interaction is required beyond network access to the device.
Impact
Successful exploitation leads to a stack overflow, which can cause a denial of service (device crash) or, with careful manipulation, arbitrary code execution. This could allow an attacker to gain full control of the affected device [1].
Mitigation
As of the publication date, the vendor has not responded to disclosure and no patch or firmware update is available. Users should consider isolating the device from untrusted networks or replacing it with a supported alternative. No known workarounds exist.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.31
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_13/13.mdmitreexploit
- vuldb.com/submit/813897mitrethird-party-advisory
- vuldb.com/vuln/365441mitrevdb-entrytechnical-description
- vuldb.com/vuln/365441/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.