CVE-2026-2856
Remote Stack-Based Buffer Overflow in D-Link DWR-M960 Filter Endpoint
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow found in the D-Link DWR-M960 router firmware version 1.01.07. It occurs in the function sub_424AFC within the /boafrm/formFilter endpoint, which processes the submit-url parameter from HTTP requests.
The root cause is the unsafe use of the strcpy function to copy the submit-url parameter into a fixed-size global buffer named wizard_htm without checking the length of the input. If an attacker sends an oversized submit-url value, it can overflow the buffer and overwrite adjacent memory on the stack.
This overflow can cause the web server to crash, leading to denial of service, or it may allow an attacker to execute arbitrary code with root privileges by hijacking the execution flow.
The attack can be launched remotely by sending a crafted POST request to the /boafrm/formFilter endpoint with the save_apply parameter set and an oversized submit-url parameter.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "Exploitation of this vulnerability can lead to denial of service by crashing the router's web server or causing the device to reboot unexpectedly, making the device unavailable."}, {'type': 'paragraph', 'content': 'More critically, it may allow an attacker to execute arbitrary code with root privileges on the device, potentially taking full control over the router.'}, {'type': 'paragraph', 'content': 'This could compromise the confidentiality, integrity, and availability of the device and any network traffic passing through it.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formFilter that include the parameters save_apply and an oversized submit-url value. Such requests may cause the web server to crash or the device to reboot unexpectedly.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request with a large submit-url parameter to trigger the buffer overflow.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can use network monitoring tools or command-line utilities to capture and analyze HTTP POST requests targeting /boafrm/formFilter.'}, {'type': 'list_item', 'content': 'Use tcpdump or tshark to capture HTTP POST requests to /boafrm/formFilter:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formFilter'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint with a crafted POST request containing a large submit-url parameter to verify if the device crashes or becomes unresponsive.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate step is to replace the affected D-Link DWR-M960 device running firmware version 1.01.07 with an alternative device or updated firmware once available.'}, {'type': 'paragraph', 'content': "In the meantime, restrict network access to the device's management interface to trusted hosts only, and monitor for suspicious POST requests to /boafrm/formFilter."}] [2]