CVE-2026-2854
Remote Stack-Based Buffer Overflow in D-Link DWR-M960 NTP Endpoint
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a stack-based buffer overflow found in the D-Link DWR-M960 router firmware version 1.01.07, specifically in the NTP Configuration Endpoint at /boafrm/formNtp within the function sub_4611CC.'}, {'type': 'paragraph', 'content': "The flaw occurs because the function processes the HTTP request parameter 'submit-url' using the unsafe strcpy function without checking the length of the input. When the 'save_apply' parameter is present, an attacker can supply an excessively long 'submit-url' string that overflows a fixed-size global buffer named wizard_htm."}, {'type': 'paragraph', 'content': 'This unchecked copying leads to memory corruption on the stack, which can cause the web server to crash or allow an attacker to execute arbitrary code remotely with elevated privileges.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability can have severe impacts including denial of service (DoS) and arbitrary code execution.
- Denial of Service: The buffer overflow can overwrite critical memory, causing the web server to crash or the device to reboot unexpectedly, making the router unavailable.
- Arbitrary Code Execution: An attacker can craft payloads to overwrite function pointers or control structures, potentially hijacking the execution flow to run malicious code with web server privileges, typically root.
Since the exploit can be launched remotely without authentication, the risk is high and can lead to full compromise of the affected device.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formNtp that include the parameters save_apply and an excessively long submit-url parameter. Such requests may cause the web server to crash or the device to reboot unexpectedly.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request with these parameters to trigger the buffer overflow.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or test for the vulnerability, you can use commands like curl to send crafted POST requests and observe the device's response or stability."}, {'type': 'list_item', 'content': 'curl -X POST http://<device-ip>/boafrm/formNtp -d "save_apply=1&submit-url=$(python3 -c \'print("A"*1000)\')"'}, {'type': 'paragraph', 'content': 'If the device crashes, reboots, or the web server becomes unreachable after such a request, it indicates the presence of the vulnerability.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
No known mitigations or countermeasures have been identified for this vulnerability.
It is recommended to replace the affected D-Link DWR-M960 router with an alternative device that is not vulnerable.
Until replacement, restrict remote access to the device to trusted networks only and monitor for suspicious POST requests to /boafrm/formNtp.