CVE-2026-2882
Stack-Based Buffer Overflow in D-Link DWR-M960 Remote Exploitable
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2882 is a stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router with firmware version 1.01.07. It exists in the function sub_46385C within the /boafrm/formDosCfg endpoint, which manages Denial of Service (DoS) protection settings.
The vulnerability occurs when the router processes an HTTP request containing the submit-url parameter along with the save_apply parameter. The function uses the unsafe strcpy function to copy the submit-url value into a fixed-size global buffer without checking the length of the input. This lack of bounds checking allows an attacker to supply an excessively long submit-url string, causing a stack-based buffer overflow.
Exploitation of this vulnerability can lead to memory corruption, crashing the web server, device reboot, Denial of Service (DoS), or potentially arbitrary code execution with root privileges.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts on the affected device and its users. An attacker can remotely exploit the flaw without authentication by sending a specially crafted HTTP request.'}, {'type': 'list_item', 'content': "Denial of Service (DoS) - The device's web server can crash or the device may reboot unexpectedly, causing service interruptions."}, {'type': 'list_item', 'content': 'Arbitrary Code Execution - A skilled attacker could execute malicious code with root privileges, potentially taking full control of the device.'}, {'type': 'list_item', 'content': 'Compromise of Confidentiality, Integrity, and Availability - The vulnerability affects all three security aspects, potentially exposing sensitive data or disrupting device operations.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formDosCfg on the D-Link DWR-M960 router running firmware version 1.01.07.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying HTTP POST requests that include the parameter save_apply along with an excessively long submit-url parameter, which triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a POST request to /boafrm/formDosCfg with these parameters, so network monitoring tools or intrusion detection systems (IDS) can be configured to alert on such requests.'}, {'type': 'list_item', 'content': 'Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /boafrm/formDosCfg.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formDosCfg'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint manually by sending a crafted POST request with a long submit-url parameter and save_apply set, to observe if the device crashes or behaves unexpectedly.'}, {'type': 'list_item', 'content': 'Example curl command to test: curl -X POST http://<router-ip>/boafrm/formDosCfg -d \'save_apply=1&submit-url=\'$(python3 -c \'print("A"*1000)\')'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate step is to replace the affected D-Link DWR-M960 device running firmware version 1.01.07 with an alternative device that is not vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, restricting network access to the device's management interface and monitoring for suspicious POST requests to /boafrm/formDosCfg can help reduce exposure."}] [2]