CVE-2026-13539
Received Received - Intake

Stack-Based Buffer Overflow in Wavlink WL-NU516U1-A Firmware

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was identified in Wavlink WL-NU516U1-A M16U1_V240425. The impacted element is the function sub_407504 of the file /cgi-bin/wireless.cgi of the component POST Parameter Handler. Such manipulation of the argument Guest_ssid leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13539
EUVD
EUVD-2026-40037

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wavlink wl-nu516u1 m16u1_v240425
openwrt linux 3.10.108

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13539 is a stack-based buffer overflow vulnerability found in the Wavlink WL-NU516U1 router firmware version M16U1_V240425. It occurs in the function sub_407504 within the /cgi-bin/wireless.cgi file, specifically in the handling of the POST parameter Guest_ssid.

The vulnerability arises because the code uses the sprintf function without proper bounds checking to construct a command string, where the buffer size is limited to 1028 bytes. If the combined length of parameters, including Guest_ssid, exceeds this buffer size, it causes a stack overflow.

An attacker can exploit this by sending a crafted HTTP POST request with a large Guest_ssid value (around 1000+ bytes), which overwrites the stack return address. Due to the MIPS little-endian architecture, this can potentially lead to remote code execution by manipulating the return address register.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the affected device. An attacker can exploit the buffer overflow to execute arbitrary code, potentially gaining control over the router.

Such control could allow the attacker to alter device configurations, intercept or redirect network traffic, disrupt network services, or use the compromised device as a foothold for further attacks within the network.

Because the exploit is remotely executable and publicly available, the risk of exploitation is high if the device is exposed to untrusted networks.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP POST requests sent to the endpoint /cgi-bin/wireless.cgi that include an unusually large Guest_ssid parameter (around 1000+ bytes). Such requests may indicate attempts to exploit the stack-based buffer overflow.

A practical detection method is to capture and analyze network traffic targeting the router's web interface, specifically looking for POST requests with oversized Guest_ssid parameters.

Example command using tcpdump to capture such traffic:

  • tcpdump -i <interface> -A 'tcp dst port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) > 1000)'

Alternatively, using curl to test the vulnerability by sending a crafted POST request with a large Guest_ssid parameter:

  • curl -X POST http://<target-ip>/cgi-bin/wireless.cgi -d 'Guest_ssid=$(python3 -c "print('A'*1500)")'

If the device crashes, behaves unexpectedly, or returns errors, it may be vulnerable.

Mitigation Strategies

The immediate recommended step is to upgrade the affected Wavlink WL-NU516U1 router firmware to the fixed version released by the vendor.

Until the upgrade can be applied, it is advisable to restrict access to the router's web interface, especially blocking remote access to /cgi-bin/wireless.cgi to prevent exploitation.

Additional mitigation steps include monitoring network traffic for suspicious POST requests targeting the Guest_ssid parameter and disabling guest Wi-Fi features if not needed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart