CVE-2026-10126: Edimax BR-6478AC Buffer Overflow
| Field | Value |
|---|---|
| CVE ID | CVE-2026-10126 |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Network |
| Auth Required | Low privileges required |
| Patch Status | No confirmed fixed version identified |
TL;DR - High-severity buffer overflow in Edimax BR-6478AC firmware 1.23. - Affects
/goform/formQoSvia theselSSIDPOST parameter. - Public exploit disclosure is noted; patch status is unclear, so reduce exposure now.
Vulnerability at a Glance
CVE-2026-10126 is a high-severity vulnerability in the Edimax BR-6478AC router line. The NVD description states that firmware version 1.23 is affected and identifies the bug as a buffer overflow in the formQoS function of the /goform/formQoS POST request handler. The vulnerable input is the selSSID argument. CVSS v3.1 is 8.8, with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
For defenders, the important point is not just the score but the combination of traits: remote reachability, low attack complexity, no user interaction, and potential high impact to confidentiality, integrity, and availability. Even though privileges are listed as low rather than none, internet-exposed router management interfaces and weakly segmented admin networks can make “low privileges required” a weak barrier in practice.
What This Vulnerability Is
The available source-backed technical description is narrow but useful. The issue is tied to the /goform/formQoS endpoint and specifically the handling of the selSSID POST parameter inside the formQoS function. The described weakness is improper bounds handling that leads to a buffer overflow. On embedded network appliances, this class of bug can cause process instability, service interruption, device crashes, or, in some cases, code execution.
It is important not to overstate the impact. The sources available here do not conclusively prove remote code execution for this CVE. What is confirmed is the bug class, the vulnerable parameter, the route, the affected product/version, and the high CVSS impact profile. Defenders should therefore assume meaningful risk to device availability and integrity, while treating code execution as plausible but not confirmed from the retrievable evidence.
Who Is Affected
The confirmed affected product and version from the NVD record is:
| Product | Affected Version(s) | Fixed Version |
|---|---|---|
| Edimax BR-6478AC | 1.23 | Unknown / not identified |
That version statement matters because there is no verified vendor advisory in the materials available here that expands the vulnerable range beyond 1.23. In other words, defenders can confidently say BR-6478AC firmware 1.23 is affected, but they should avoid assuming that earlier or later firmware builds are safe or vulnerable without direct vendor evidence.
If you operate Edimax BR-6478AC devices and do not have strong firmware inventory data, the practical assumption should be conservative: treat devices as potentially exposed until you confirm the installed firmware version. Small offices, branch sites, unmanaged retail deployments, and legacy consumer-grade hardware used in business environments are the most likely blind spots.
Exploitation Status and Threat Context
The NVD description explicitly says that “the exploit has been released to the public and may be used for attacks.” Based on that language, the safest conclusion is that a public exploit or exploit details exist. However, the referenced disclosure pages were not retrievable in a way that allowed independent extraction of exploit steps or payload details in this environment.
What is not established is just as important. CISA KEV does not list CVE-2026-10126, so there is currently no CISA-confirmed in-the-wild exploitation entry tied to this vulnerability. That does not mean exploitation is impossible or unlikely; it means defenders should separate public exploit availability from confirmed active exploitation. At this time, the evidence supports the former but not the latter.
Why This Matters Operationally
Router and gateway vulnerabilities create outsized operational risk because they sit at trust boundaries. A successful attack against a SOHO or SMB edge device can provide a foothold for traffic interception, configuration tampering, persistence, or denial of service. Even when the bug is “only” a crash condition, repeated exploitation can disrupt branch connectivity and remote administration.
This CVE also affects a management-related endpoint, /goform/formQoS, which suggests exposure may depend heavily on whether the administrative web interface is reachable from untrusted networks. If remote administration is enabled from the internet, or if internal segmentation allows low-privilege users to reach the web UI, the practical attack surface is much broader. If admin access is limited to a dedicated management VLAN or physically local interface, risk can be reduced substantially even before a patch is available.
What Defenders Should Assume if Data Is Missing
Several important fields remain unknown from the available evidence. There is no verified fixed firmware version, no primary-source vendor advisory retrieved, and no confirmed in-the-wild exploitation record. When that happens, defenders should avoid filling gaps with assumptions. The right operating model is uncertainty-driven risk reduction.
Specifically, assume the following until better data appears: public exploit knowledge increases likelihood of opportunistic scanning; unsupported or consumer-grade edge devices may have weak telemetry; and “not in KEV” does not equal “not exploited.” If this router model is business-critical and internet-facing, treat the vulnerability as requiring prompt compensating controls even without a patch.
Detection and Exposure Assessment
Start with asset inventory. Identify whether any Edimax BR-6478AC devices are present, and confirm whether they are running firmware 1.23. Then determine if the administrative interface is reachable from the internet, guest networks, contractor segments, or other low-trust zones. Exposure is the key factor here because no verified fixed version is currently available.
Next, review HTTP access logs from any upstream reverse proxies, firewall web filtering, or packet captures that may see traffic to the router management interface. Many embedded devices have sparse onboard logging, so defenders may need to rely on adjacent telemetry rather than the device itself. Look for repeated or malformed POST requests to /goform/formQoS, especially with unusually long selSSID values.
Technical Notes
A concrete network-level hunting approach is to look for POST traffic targeting the vulnerable endpoint:
POST /goform/formQoS HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded
selSSID=AAAA...[very long value]...AAAA
Example Suricata rule for suspicious oversized selSSID submissions:
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"Possible CVE-2026-10126 exploit attempt against Edimax formQoS";
flow:to_server,established;
http.method; content:"POST";
http.uri; content:"/goform/formQoS";
http.request_body; content:"selSSID=";
pcre:"/selSSID=[^&]{128,}/Pi";
classtype:web-application-attack;
sid:2026101261;
rev:1;
)
If you log HTTP requests in Zeek, Splunk, or a web proxy, a simple query can help surface suspicious requests:
index=proxy OR index=zeek_http
(method=POST AND uri_path="/goform/formQoS")
| eval body_len=len(coalesce(request_body, uri_query, ""))
| search request_body="*selSSID=*"
| table _time src_ip dest_ip host uri_path status_code request_body
Because many routers do not expose rich application logs, defenders should also watch for indirect signs of exploitation such as management-plane resets, sudden HTTP service unavailability, configuration changes, or unexplained reboots shortly after POST requests to the endpoint. A practical log pattern to investigate is any sequence where a POST to /goform/formQoS is followed by a gap in management availability or a device restart alert from monitoring.
Mitigation and Patching
The most important caveat for CVE-2026-10126 is that no confirmed fixed version has been identified from retrievable primary-source material. The vulnerable version explicitly named is 1.23. If Edimax has released a remediated firmware, that fixed version was not verified here, so defenders should not claim a specific upgrade target without checking the vendor download portal or release notes directly.
In the absence of a confirmed patch, mitigation should focus on exposure reduction. Disable remote administration from the internet if enabled. Restrict management access to a trusted admin host or management VLAN. Use firewall rules so that only designated IPs can reach the router web interface. If the device is no longer supportable or cannot be isolated appropriately, replacement should be considered, especially in business use.
Technical Notes
First, verify the current firmware from the UI or, if available, an inventory script. If your environment tracks network appliance pages, document any BR-6478AC units on 1.23 as vulnerable until proven otherwise.
If a newer firmware package is available from the vendor portal, upgrade using the device’s administration interface. Because a vendor-confirmed fixed version is unknown, the command below is only for retrieving available firmware metadata, not asserting remediation:
curl -I "https://www.edimax.com/edimax/download/download/data/edimax/us/download/for_home/wireless_routers/wireless_routers_ac1200/br-6478ac"
Where edge firewalling is available, block access to the management interface except from trusted sources. Example perimeter ACL concept:
# Example only: allow router admin UI from a single admin workstation
iptables -A INPUT -p tcp -s 192.0.2.10 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp -s 192.0.2.10 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
If the router supports disabling WAN-side management, apply that workaround immediately. Since no fixed version is confirmed, the practical mitigation hierarchy is: remove internet exposure, limit admin-plane reachability, monitor for exploit attempts, and replace unsupported devices where feasible.
References
| Source | URL |
|---|---|
| NVD record | https://nvd.nist.gov/vuln/detail/CVE-2026-10126 |
| CVE record | https://www.cve.org/CVERecord?id=CVE-2026-10126 |
| CISA KEV catalog | https://www.cisa.gov/known-exploited-vulnerabilities-catalog |
| Edimax BR-6478AC download page | https://www.edimax.com/edimax/download/download/data/edimax/us/download/for_home/wireless_routers/wireless_routers_ac1200/br-6478ac |
| NVD reference: disclosure page | https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formQoS-34b53a41781f804e9ddfe771c426d9b2?source=copy_link |
| NVD reference: VulDB page | https://vuldb.com/submit/818454 |
For more information on network vulnerabilities, check out our articles on what is patch Tuesday and what is spyware.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.