CVE-2026-2566
Remote Stack-Based Buffer Overflow in Wavlink WL-NU516U1 Firmware Update
Publication date: 2026-02-16
Last updated on: 2026-02-16
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wavlink | wl-nu516u1 | to 260 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2566 is a stack-based buffer overflow vulnerability found in the Wavlink WL-NU516U1 device firmware, specifically in the function sub_406194 within the /cgi-bin/adm.cgi file.
The vulnerability occurs when the argument firmware_url is manipulated. The firmware_url parameter is processed by a helper function that escapes every character by prefixing it with a backslash, effectively doubling the input length. This escaped string is then concatenated to a fixed-size stack buffer of 260 bytes without boundary checks.
If an attacker supplies a firmware_url longer than 130 bytes (which becomes over 260 bytes after escaping), it causes a stack buffer overflow. This overflow overwrites local variables, saved registers, and ultimately the return address, allowing the attacker to hijack the execution flow.
Exploitation requires the attacker to have a valid login session and valid parameters to bypass input validation, but once exploited, it can lead to remote code execution or denial of service.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts on the affected device and its users.'}, {'type': 'list_item', 'content': "Remote Code Execution (RCE): An attacker can hijack the device's execution flow to run arbitrary code remotely."}, {'type': 'list_item', 'content': 'Denial of Service (DoS): The overflow can cause the device to crash or become unresponsive.'}, {'type': 'list_item', 'content': 'Compromise of Confidentiality, Integrity, and Availability: The stack buffer overflow can lead to unauthorized access and manipulation of device functions.'}, {'type': 'paragraph', 'content': 'Because the exploit requires authenticated access but can be launched remotely, attackers who gain valid credentials or sessions can fully compromise the device.'}, {'type': 'paragraph', 'content': 'No known mitigations or fixes have been provided by the vendor, increasing the risk to users.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for attempts to exploit the stack-based buffer overflow in the /cgi-bin/adm.cgi component, specifically targeting the firmware_url parameter.'}, {'type': 'paragraph', 'content': 'Detection involves checking for unusual HTTP requests to the /cgi-bin/adm.cgi endpoint with a firmware_url argument longer than 130 bytes, which after escaping exceeds 260 bytes.'}, {'type': 'paragraph', 'content': 'Since exploitation requires authenticated access, monitoring for suspicious authenticated sessions making requests with unusually long firmware_url parameters is important.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic inspection tools such as tcpdump or Wireshark to filter HTTP requests to /cgi-bin/adm.cgi and analyze the length of the firmware_url parameter.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP requests to the device: tcpdump -i <interface> -A 'tcp port 80 and (((ip dst <device_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420))'"}, {'type': 'list_item', 'content': "Use grep or similar tools on captured traffic to find requests containing 'firmware_url=' with unusually long values."}, {'type': 'list_item', 'content': 'Check device logs for authenticated sessions performing firmware upgrade requests with suspicious parameters.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the affected Wavlink WL-NU516U1 device, especially limiting authenticated access to trusted users only.'}, {'type': 'paragraph', 'content': 'Since no official patch or vendor response is available, consider disabling remote firmware upgrade functionality or restricting it via network controls.'}, {'type': 'paragraph', 'content': "Change default passwords (default is 'admin') to strong, unique credentials to reduce risk of unauthorized authenticated access."}, {'type': 'paragraph', 'content': 'Monitor network traffic and device logs for exploitation attempts and unauthorized access.'}, {'type': 'paragraph', 'content': 'If possible, replace the affected device with a non-vulnerable alternative to eliminate the risk.'}] [2]