CVE-2026-5004
Received Received - Intake
Stack-Based Buffer Overflow in Wavlink UPNP Handler Allows Remote Attack

Publication date: 2026-03-28

Last updated on: 2026-04-03

Assigner: VulDB

Description
A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This impacts the function sub_4019FC of the file /cgi-bin/firewall.cgi of the component UPNP Handler. Executing a manipulation of the argument UpnpEnabled can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-28
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5004
EUVD
EUVD-2026-16937
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wavlink wl-wn579x3-c_firmware 231124
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5004 is a stack-based buffer overflow vulnerability in the Wavlink WL-WN579X3-C router, specifically in the /cgi-bin/firewall.cgi component's UPNP Handler function sub_4019FC.

The vulnerability occurs because the function uses a fixed-size 8-byte stack buffer to handle the UpnpEnabled parameter, but unconditionally writes 40 bytes into it. This causes an overflow that overwrites adjacent stack data, including the function's return address.

An attacker can exploit this remotely by sending a specially crafted POST request with an excessively long UpnpEnabled value, which can cause the router to crash (denial of service) or, if precisely crafted, allow arbitrary code execution leading to full system compromise.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to cause a denial of service on your Wavlink WL-WN579X3-C router, making it unavailable.

More severely, an attacker can exploit the buffer overflow to execute arbitrary code on the device, potentially gaining full control over the router.

Such control could allow the attacker to intercept, modify, or redirect network traffic, compromise network security, or use the device as a foothold for further attacks within your network.

Detection Guidance

This vulnerability can be detected by sending a specially crafted POST request to the router's /cgi-bin/firewall.cgi endpoint with an excessively long UpnpEnabled parameter value. This triggers the stack-based buffer overflow in the UPNP Handler.

A detection method involves monitoring for crashes or denial of service events on the device after such requests, or actively testing by sending a POST request with a long UpnpEnabled parameter to see if the device crashes or behaves abnormally.

An example command using curl to test for the vulnerability could be:

  • curl -X POST http://[router_ip]/cgi-bin/firewall.cgi -d "firewall=UPNP&UpnpEnabled=$(python3 -c 'print("A"*40)')"

If the device crashes or becomes unresponsive after this request, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /cgi-bin/firewall.cgi endpoint to trusted networks or IP addresses to prevent remote exploitation.

Disabling UPnP functionality on the device, if possible, can reduce the attack surface since the vulnerability is triggered via the UpnpEnabled parameter.

Monitoring the device for unusual crashes or reboots can help detect exploitation attempts.

Since the vendor has not responded with a patch, consider isolating the vulnerable device from untrusted networks until a fix is available.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-5004 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart