Skip to main content

F9k1122 CVE-2026-5044

| EUVDEUVD-2026-16991 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-03-29 VulDB
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
PoC Detected
Mar 30, 2026 - 19:02 vuln.today
Public exploit code
EUVD ID Assigned
Mar 29, 2026 - 12:30 euvd
EUVD-2026-16991
Analysis Generated
Mar 29, 2026 - 12:30 vuln.today
CVE Published
Mar 29, 2026 - 12:15 nvd
HIGH 7.4

DescriptionCVE.org

A security vulnerability has been detected in Belkin F9K1122 1.00.33. This affects the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. Such manipulation of the argument webpage leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in Belkin F9K1122 router version 1.00.33 allows authenticated remote attackers to achieve full system compromise via the formSetSystemSettings endpoint. The vulnerability resides in the Setting Handler component's webpage parameter processing. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. With CVSS 8.8 (High) severity and low attack complexity, this represents a critical risk to affected devices, though no active exploitation has been confirmed by CISA KEV at time of analysis.

Technical ContextAI

This vulnerability affects the Belkin F9K1122 wireless router firmware version 1.00.33, specifically the Setting Handler component that processes configuration changes through the /goform/formSetSystemSettings endpoint. The root cause is CWE-121 (Stack-based Buffer Overflow), where insufficient bounds checking on the 'webpage' parameter allows an attacker to write beyond allocated stack memory. Stack-based buffer overflows are particularly dangerous in embedded devices like routers because they can enable arbitrary code execution with the privileges of the vulnerable process, typically running at system/root level. The CPE identifier cpe:2.3:a:belkin:f9k1122 confirms this affects the F9K1122 product line. Router web interfaces often lack modern memory protection mechanisms like stack canaries or ASLR, making exploitation more reliable once stack layout is determined.

RemediationAI

No vendor-released patch identified at time of analysis despite researcher notification to Belkin. Given the vendor's non-response and lack of official remediation, organizations should implement compensating controls immediately. Primary mitigation: disable remote administration features and ensure router management interfaces are accessible only from trusted internal networks, never exposed to the internet. Implement strong, unique administrative credentials if default passwords are in use, as the vulnerability requires authentication (PR:L). Consider network segmentation to isolate the router management plane from general user networks. Monitor for unusual authentication attempts or configuration changes. Long-term recommendation: evaluate replacement with actively supported router hardware from vendors with established security response programs, as the F9K1122 appears to be an end-of-life product. For vulnerability tracking and technical details, reference VulDB entry https://vuldb.com/vuln/353967 and the proof-of-concept at https://github.com/Litengzheng/vul_db/blob/main/Belkin/vul_155/README.md.

Share

CVE-2026-5044 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy