CVE-2026-2855
Stack-Based Buffer Overflow in D-Link DWR-M960 DDNS Handler
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2855 is a stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router running firmware version 1.01.07. It exists in the Dynamic DNS (DDNS) configuration endpoint at /boafrm/formDdns, specifically in the function sub_4648F0 that processes the HTTP request parameter named submit-url.
The vulnerability arises because the function uses the unsafe strcpy function to copy the submit-url parameter into a fixed-size global buffer without checking the length of the input. An attacker can supply an excessively long submit-url value, causing a buffer overflow that overwrites adjacent memory on the stack.
This memory corruption can lead to denial of service by crashing the web server or causing the device to reboot unexpectedly, and more critically, it may allow arbitrary code execution with root privileges.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including denial of service (DoS) and remote code execution on the affected device.'}, {'type': 'list_item', 'content': "Denial of Service: The buffer overflow can crash the router's web server or cause the device to reboot unexpectedly, making the device unavailable."}, {'type': 'list_item', 'content': 'Remote Code Execution: An attacker can exploit the overflow to execute arbitrary code with root privileges, potentially taking full control of the device remotely.'}, {'type': 'list_item', 'content': 'Compromise of Confidentiality, Integrity, and Availability: Since the attacker can execute code remotely, they may access sensitive data, alter device configurations, or disrupt network services.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or crafted HTTP POST requests sent to the endpoint /boafrm/formDdns, specifically those containing an excessively long submit-url parameter.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a crafted POST request with an oversized submit-url parameter and ddnsEnabled=OFF to trigger the vulnerability.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation attempts, you can use network monitoring tools or packet capture utilities to filter HTTP POST requests to /boafrm/formDdns and inspect the length of the submit-url parameter.'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture HTTP POST requests to /boafrm/formDdns, for example: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formDdns'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint by sending a crafted POST request with a long submit-url parameter to see if the device crashes or reboots.'}, {'type': 'list_item', 'content': 'Monitor device logs or syslogs for unexpected crashes or reboots of the web server (boa) which may indicate exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include disabling the DDNS feature on the affected D-Link DWR-M960 router if it is not required.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unsafe handling of the submit-url parameter in the DDNS settings handler, avoiding use of this feature reduces exposure.'}, {'type': 'paragraph', 'content': 'Monitor for firmware updates or patches from D-Link addressing this vulnerability and apply them as soon as they become available.'}, {'type': 'paragraph', 'content': 'If no patch is available, consider replacing the affected device with a different model or vendor that is not vulnerable.'}, {'type': 'paragraph', 'content': "Restrict network access to the router's management interface to trusted hosts only, and avoid exposing it to the internet."}] [3]