CVE-2026-2853
Remote Stack-Based Buffer Overflow in D-Link DWR-M960 System Log
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2853 is a stack-based buffer overflow vulnerability in the D-Link DWR-M960 router, firmware version 1.01.07. It exists in the System Log Configuration Endpoint, specifically in the function sub_462E14 located in the file /boafrm/formSysLog. The vulnerability arises because the function processes the HTTP request parameter named submit-url using the unsafe strcpy function without checking the length of the input. This allows an attacker to supply an excessively long submit-url value, causing a buffer overflow that overwrites adjacent memory on the stack.
This overflow can lead to application crashes resulting in denial of service (DoS) and potentially allow arbitrary code execution, meaning an attacker could execute malicious code remotely on the device.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including denial of service (DoS) and remote code execution on the affected device.
- Denial of Service (DoS): The buffer overflow can crash the web server or cause the device to reboot unexpectedly, making the device unavailable.
- Remote Code Execution: An attacker may exploit the overflow to overwrite function pointers or control structures, potentially executing arbitrary code with root privileges.
- Compromise of device confidentiality, integrity, and availability due to memory corruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formSysLog that include the parameter save_apply=Apply along with an excessively long submit-url parameter.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request with these parameters to trigger the vulnerability, which causes the web server to crash or the device to reboot.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or scanning activity, you can use network monitoring tools or web server logs to look for POST requests to /boafrm/formSysLog with unusually long submit-url values.'}, {'type': 'list_item', 'content': 'Example command to monitor HTTP POST requests with suspicious submit-url length using tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /boafrm/formSysLog'"}, {'type': 'list_item', 'content': 'Alternatively, use a web application firewall (WAF) or intrusion detection system (IDS) to alert on POST requests to /boafrm/formSysLog with submit-url parameters exceeding normal length.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /boafrm/formSysLog to trusted networks or IP addresses to prevent remote exploitation.
If possible, disable or block HTTP POST requests to /boafrm/formSysLog that contain the save_apply parameter or unusually long submit-url values.
Since no known mitigations or patches are currently available, it is recommended to replace the affected D-Link DWR-M960 device with a secure alternative.
Monitoring the device for crashes or unexpected reboots can also help detect exploitation attempts.