| tiêu đề | Wavlink NU516U1 V251208 Stack-based Buffer Overflow |
|---|
| Mô tả | # A remote stack overflow vulnerability exists in the `singlePortForwardDelete` function of the `firewall.cgi`
component in the Wavlink NU516U1 (V251208) software.
### Overview
Supplier: Wavlink
Product: NU516U1
Version: WAVLINK-NU516U1-A-WO-20251208-BYFM
Type: stack overflow
### **Vulnerability description:**
A stack overflow vulnerability exists in the `/cgi-bin/firewall.cgi` component in Wavlink NU516U1 router firmware
(version WAVLINK-NU516U1-A-WO-20251208-BYFM). The vulnerability is located in the **`sub_4016D0`** function that
handles the **Port Forward Delete (`singlePortForwardDelete`)** functionality. When processing the `del_flag`
parameter, the program calls the filter function `sub_405B2C` to check user input. Although this function attempts to
block dangerous characters through a blacklist mechanism, it does not enforce any restriction on input length.
After the input passes validation, the program uses the `sprintf` function to write the user-controlled `del_flag`
value into a fixed-size stack buffer:
```c
sprintf(v5, "uci delete firewall.@redirect[%s]", v2);
Because v5 is a local stack buffer of limited size and sprintf performs no bounds checking, an authenticated remote
attacker can supply an excessively long del_flag value to overflow the stack, corrupt adjacent memory, crash the CGI
process, and potentially achieve arbitrary code execution under certain conditions. |
|---|
| Nguồn | ⚠️ https://github.com/havenoideal123/wavlink-vuln/blob/main/firewall/singlePortForwardDelete.md |
|---|
| Người dùng | alex_7 (UID 97263) |
|---|
| Đệ trình | 11/04/2026 10:28 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 09/05/2026 09:55 (28 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 346265 [Wavlink WL-NU516U1 đến 20251208 /cgi-bin/firewall.cgi singlePortForwardDelete del_flag nâng cao đặc quyền] |
|---|
| điểm | 0 |
|---|