CVE-2026-2925
Remote Stack-Based Buffer Overflow in D-Link Bridge VLAN Endpoint
Publication date: 2026-02-22
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2925 is a stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, firmware version 1.01.07. It exists in the Bridge VLAN Configuration Endpoint, specifically in the function sub_42B5A0 within the file /boafrm/formBridgeVlan.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs when the router processes the "submit-url" parameter from an HTTP request that includes the "save_apply" parameter, which indicates a configuration save or apply action. The code uses an unsafe strcpy operation to copy the "submit-url" value into a fixed-size global buffer named wizard_htm without validating the length of the input.'}, {'type': 'paragraph', 'content': 'Because there is no bounds checking, supplying an oversized "submit-url" parameter causes a stack-based buffer overflow. This overflow can be exploited remotely by sending a crafted POST request to the /boafrm/formBridgeVlan endpoint.'}, {'type': 'paragraph', 'content': 'Exploitation can lead to denial of service (crashing the web server or rebooting the device) or arbitrary code execution with web server privileges, potentially allowing an attacker to take control of the device.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including:'}, {'type': 'list_item', 'content': "Denial of Service (DoS): An attacker can cause the router's web server to crash or the device to reboot by exploiting the buffer overflow."}, {'type': 'list_item', 'content': 'Arbitrary Code Execution: An attacker can execute malicious code on the device with web server privileges (typically root), potentially gaining full control over the router.'}, {'type': 'list_item', 'content': "Compromise of Confidentiality, Integrity, and Availability: The overflow can lead to unauthorized access and manipulation of the device's functions and data."}, {'type': 'paragraph', 'content': 'Since the exploit can be performed remotely without authentication, the risk is elevated for affected devices exposed to untrusted networks.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /boafrm/formBridgeVlan that include the parameter save_apply along with an unusually long submit-url parameter. Such requests may indicate attempts to exploit the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic targeting the D-Link DWR-M960 router, specifically looking for POST requests to /boafrm/formBridgeVlan with the save_apply parameter and oversized submit-url values.'}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to /boafrm/formBridgeVlan.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /boafrm/formBridgeVlan'"}, {'type': 'list_item', 'content': 'Inspect captured HTTP POST payloads for the presence of the save_apply parameter and check the length of the submit-url parameter to identify unusually long values.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring device logs for crashes or reboots of the web server (boa) may indicate exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint and limiting exposure of the affected device to untrusted networks.
- Block or filter incoming HTTP POST requests to /boafrm/formBridgeVlan from untrusted sources using firewall rules.
- Disable remote management or restrict it to trusted IP addresses only.
- Monitor the device for unusual behavior such as crashes or reboots that may indicate exploitation.
Since no official patches or countermeasures are reported, the recommended long-term solution is to replace the affected D-Link DWR-M960 router with a secure alternative.