CVE-2026-2881
Stack-Based Buffer Overflow in D-Link DWR-M960 Firewall Endpoint
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2881 is a stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router firmware version 1.01.07. It exists in the Advanced Firewall Configuration Endpoint, specifically in the function sub_425FF8 within the file /boafrm/formFirewallAdv.'}, {'type': 'paragraph', 'content': 'The vulnerability arises when the function processes the submit-url parameter from incoming HTTP requests during a "save and apply" action. The code uses the unsafe strcpy function to copy the submit-url parameter into a global buffer named wizard_htm without checking the length of the input.'}, {'type': 'paragraph', 'content': 'This lack of bounds checking allows an attacker to supply an oversized submit-url value, causing a stack-based buffer overflow. This overflow can corrupt memory and potentially allow remote attackers to execute arbitrary code or cause a denial of service (DoS) by crashing the device.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can have serious impacts on the affected device and its users.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): The buffer overflow can overwrite critical global variables or data, causing the router's web server to crash or the device to reboot, resulting in loss of network connectivity."}, {'type': 'list_item', 'content': 'Arbitrary Code Execution: An attacker can craft a malicious payload to overwrite function pointers or control structures, hijacking the execution flow to run arbitrary code with root privileges on the device.'}, {'type': 'paragraph', 'content': 'Because the vulnerability is remotely exploitable without authentication, attackers can launch attacks from anywhere, making the device highly vulnerable to compromise.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /boafrm/formFirewallAdv that include the parameter save_apply and an unusually long submit-url parameter.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request with an excessively long submit-url value, which causes the web server to crash or the device to become unreachable.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can capture and analyze network traffic for such POST requests targeting /boafrm/formFirewallAdv.'}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to /boafrm/formFirewallAdv.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formFirewallAdv'"}, {'type': 'list_item', 'content': 'Inspect captured HTTP POST data for the presence of the save_apply parameter and unusually long submit-url values.'}, {'type': 'list_item', 'content': 'Alternatively, use curl or similar tools to test the endpoint by sending crafted POST requests with long submit-url parameters to verify if the device crashes or behaves abnormally.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': "Immediate steps include avoiding exposure of the affected device's web interface to untrusted networks and disabling remote management if possible."}, {'type': 'paragraph', 'content': 'Consider replacing the affected D-Link DWR-M960 router with an alternative device that is not vulnerable.'}, {'type': 'paragraph', 'content': 'Monitor the device for signs of exploitation such as crashes or unexpected reboots.'}] [3]