CVE-2026-10259
Received Received - Intake
Stack-Based Buffer Overflow in H3C Magic B0

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10259
EUVD
EUVD-2026-33638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
h3c magic_b0 to 100R002 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate the vulnerability in H3C Magic B0 up to firmware version 100R002, immediate steps include avoiding exposure of the /goform/aspForm endpoint to untrusted networks since the attack can be performed remotely.

Restrict network access to the affected device by implementing firewall rules or network segmentation to limit who can send requests to the vulnerable function SetMobileAPInfoById.

Monitor network traffic for suspicious POST requests targeting the /goform/aspForm endpoint with unusually long param values, which may indicate exploitation attempts.

Since no vendor response or patch is available, consider disabling or restricting the vulnerable functionality if possible until an official fix is released.

Compliance Impact

The provided information does not specify how the vulnerability in H3C Magic B0 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a stack-based buffer overflow found in H3C Magic B0 routers up to firmware version 100R002. It occurs in the function SetMobileAPInfoById within the /goform/aspForm endpoint. By manipulating the 'param' argument without proper length validation, an attacker can overflow the buffer.

The overflow can be triggered remotely by sending a specially crafted HTTP POST request with an excessively long 'param' value, potentially leading to denial of service or remote code execution.

Impact Analysis

Exploitation of this vulnerability can allow an attacker to cause a denial of service or execute arbitrary code remotely on the affected device.

This means an attacker could disrupt network services or gain control over the router, potentially compromising the security and availability of your network.

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP POST request to the /goform/aspForm endpoint of the H3C Magic B0 router, specifically targeting the SetMobileAPInfoById function with an excessively long param value to trigger the buffer overflow.

A proof-of-concept (POC) request involves manipulating the param argument in the POST data to a length that causes the overflow, which can be used to test if the system is vulnerable.

While exact commands are not provided, a typical detection approach would be to use tools like curl or a custom script to send such a POST request and observe the system's response or behavior for signs of buffer overflow or crash.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10259. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart