Executive Summary

CVE-2026-2853 is a stack-based buffer overflow vulnerability in the D-Link DWR-M960 router, firmware version 1.01.07. It exists in the System Log Configuration Endpoint, specifically in the function sub_462E14 located in the file /boafrm/formSysLog. The vulnerability arises because the function processes the HTTP request parameter named submit-url using the unsafe strcpy function without checking the length of the input. This allows an attacker to supply an excessively long submit-url value, causing a buffer overflow that overwrites adjacent memory on the stack.

This overflow can lead to application crashes resulting in denial of service (DoS) and potentially allow arbitrary code execution, meaning an attacker could execute malicious code remotely on the device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including denial of service (DoS) and remote code execution on the affected device.

• Denial of Service (DoS): The buffer overflow can crash the web server or cause the device to reboot unexpectedly, making the device unavailable.
• Remote Code Execution: An attacker may exploit the overflow to overwrite function pointers or control structures, potentially executing arbitrary code with root privileges.
• Compromise of device confidentiality, integrity, and availability due to memory corruption.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formSysLog that include the parameter save_apply=Apply along with an excessively long submit-url parameter.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request with these parameters to trigger the vulnerability, which causes the web server to crash or the device to reboot.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or scanning activity, you can use network monitoring tools or web server logs to look for POST requests to /boafrm/formSysLog with unusually long submit-url values.'}, {'type': 'list_item', 'content': 'Example command to monitor HTTP POST requests with suspicious submit-url length using tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /boafrm/formSysLog'"}, {'type': 'list_item', 'content': 'Alternatively, use a web application firewall (WAF) or intrusion detection system (IDS) to alert on POST requests to /boafrm/formSysLog with submit-url parameters exceeding normal length.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint /boafrm/formSysLog to trusted networks or IP addresses to prevent remote exploitation.

If possible, disable or block HTTP POST requests to /boafrm/formSysLog that contain the save_apply parameter or unusually long submit-url values.

Since no known mitigations or patches are currently available, it is recommended to replace the affected D-Link DWR-M960 device with a secure alternative.

Monitoring the device for crashes or unexpected reboots can also help detect exploitation attempts.

Useful 0 Not Useful 0