CVE-2026-2926
Remote Stack-Based Buffer Overflow in D-Link LTE Configuration Endpoint
Publication date: 2026-02-22
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including denial of service (DoS) and remote code execution.'}, {'type': 'list_item', 'content': "Denial of Service: Exploiting the buffer overflow can crash the router's web server or cause the device to reboot, making it unavailable."}, {'type': 'list_item', 'content': 'Arbitrary Code Execution: An attacker can overwrite control structures or function pointers, potentially executing malicious code with root privileges on the device.'}, {'type': 'list_item', 'content': 'Remote Exploitation: The attack can be performed remotely without authentication, increasing the risk of compromise.'}] [1, 2, 3]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2926 is a stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router firmware version 1.01.07. It exists in the LTE Configuration Endpoint, specifically in the function sub_4237AC within the file /boafrm/formLteSetup.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the code copies the "submit-url" parameter into a fixed-size global buffer named wizard_htm using the unsafe strcpy function without checking the length of the input. If an attacker supplies an oversized "submit-url" value, it can overflow the buffer on the stack.'}, {'type': 'paragraph', 'content': 'This overflow can lead to memory corruption, potentially allowing an attacker to execute arbitrary code with root privileges or cause the device to crash or reboot. The attack can be launched remotely by sending a specially crafted POST request to the vulnerable endpoint.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests sent to the endpoint /boafrm/formLteSetup on the D-Link DWR-M960 router running firmware version 1.01.07.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying POST requests that include the parameter save_apply along with an oversized submit-url parameter, which triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'Network administrators can use packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /boafrm/formLteSetup and inspect the size and content of the submit-url parameter.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /boafrm/formLteSetup'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint by sending crafted POST requests with varying lengths of the submit-url parameter to observe if the device crashes or behaves abnormally.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring device logs for crashes or reboots of the web server (boa) may indicate exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the vulnerable LTE Configuration Endpoint /boafrm/formLteSetup to trusted networks only, such as by implementing firewall rules that block external access to the router's web interface."}, {'type': 'paragraph', 'content': "Avoid exposing the device's management interface to the internet or untrusted networks to reduce the risk of remote exploitation."}, {'type': 'paragraph', 'content': 'Monitor the device for signs of compromise such as unexpected reboots or crashes of the web server process.'}, {'type': 'paragraph', 'content': 'Since no known patches or mitigations are currently available, it is recommended to replace the affected device with a non-vulnerable alternative as soon as possible.'}] [3]