CVE-2026-2884
Remote Stack-Based Buffer Overflow in D-Link WAN Interface Handler
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formWanConfigSetup on the D-Link DWR-M960 router running firmware version 1.01.07. Specifically, look for HTTP POST requests containing an excessively long or malformed submit-url parameter, which is the vector for the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method involves capturing network traffic and filtering for POST requests to /boafrm/formWanConfigSetup. For example, using tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formWanConfigSetup'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" and http.request.uri contains "/boafrm/formWanConfigSetup"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Additionally, inspecting the length of the submit-url parameter in these POST requests can help identify attempts to exploit the buffer overflow by spotting abnormally long values.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps for this vulnerability include restricting access to the affected device's management interface to trusted networks only, such as internal LAN segments, to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no known software patches or mitigations are available, it is recommended to replace the affected D-Link DWR-M960 router running firmware version 1.01.07 with an alternative device or updated firmware once available.'}, {'type': 'paragraph', 'content': 'As a temporary measure, monitoring and blocking suspicious POST requests to /boafrm/formWanConfigSetup containing unusually long submit-url parameters via network firewalls or intrusion detection/prevention systems can reduce risk.'}] [1, 2]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2884 is a critical stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, version 1.01.07. The flaw exists in the function sub_41914C within the file /boafrm/formWanConfigSetup, which is part of the WAN Interface Setting Handler component.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling of the "submit-url" argument, where manipulation with crafted input leads to a stack-based overflow condition. Specifically, the function uses the unsafe strcpy operation to copy the submit-url content into a fixed-size global buffer without validating the input length, allowing an attacker to supply an oversized submit-url parameter.'}, {'type': 'paragraph', 'content': 'This lack of bounds checking causes out-of-bounds memory writes, which can lead to denial of service by crashing the embedded web server or device reboot, or more critically, arbitrary code execution with root privileges by hijacking execution flow.'}, {'type': 'paragraph', 'content': 'The attack can be launched remotely without authentication, making it highly exploitable, and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can impact the confidentiality, integrity, and availability of the affected device.'}, {'type': 'list_item', 'content': 'Denial of Service (DoS) by crashing the embedded web server or causing the device to reboot.'}, {'type': 'list_item', 'content': "Arbitrary code execution with root privileges, allowing an attacker to hijack the device's execution flow."}, {'type': 'list_item', 'content': 'Remote exploitation without authentication, increasing the risk and ease of attack.'}] [1, 2, 3]