Description
A security vulnerability has been detected in H3C Magic B3 up to 100R002. This affects the function UpdateWanParams of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs in the UpdateWanParams function of the /goform/aspForm endpoint in H3C Magic B3 routers, enabling an attacker to send a maliciously crafted argument that overflows the buffer. This flaw can be triggered remotely, as stated in the description, and may allow an attacker to execute arbitrary code or hijack the device. The weakness is classified as a classic stack buffer overflow (CWE‑119) and related heap corruption (CWE‑120).

Affected Systems

H3C Magic B3 routers running firmware versions up to 100R002 are affected. No other product or version data is available.

Risk and Exploitability

The CVSS score of 8.6 marks this vulnerability as High severity, and the lack of an EPSS score does not diminish the real risk; the vulnerability has been publicly disclosed and may already be in use. The vulnerability is not listed in the CISA KEV, but its remote exploitability and high impact make it a priority for remediation. Attackers can exploit the flaw by sending specially crafted requests from the network to the device’s web interface, requiring no privileged local access.

Generated by OpenCVE AI on May 17, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from H3C that resolves the buffer overflow in Magic B3.
  • If an update is not available, block or restrict access to the /goform/aspForm endpoint using firewalls or access control lists to prevent remote exploitation.
  • Enable logging and monitor for anomalous traffic patterns targeting the vulnerable endpoint to detect potential exploitation attempts.

Generated by OpenCVE AI on May 17, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in H3C Magic B3 up to 100R002. This affects the function UpdateWanParams of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title H3C Magic B3 aspForm UpdateWanParams buffer overflow
First Time appeared H3c
H3c magic B3
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:a:h3c:magic_b3:*:*:*:*:*:*:*:*
Vendors & Products H3c
H3c magic B3
References
Metrics cvssV2_0

{'score': 8.3, 'vector': 'AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

H3c Magic B3
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T21:30:11.744Z

Reserved: 2026-05-17T08:51:53.738Z

Link: CVE-2026-8764

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T22:16:21.463

Modified: 2026-05-17T22:16:21.463

Link: CVE-2026-8764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:49:01Z

Weaknesses