CVE-2026-2928
Remote Stack-Based Buffer Overflow in D-Link WLAN Encryption Endpoint
Publication date: 2026-02-22
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2928 is a critical stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, version 1.01.07. It exists in the WLAN Encryption Configuration Endpoint, specifically within the function sub_452CCC of the file /boafrm/formWlEncrypt.'}, {'type': 'paragraph', 'content': 'The vulnerability is triggered by manipulating the "submit-url" argument with crafted input that is copied into a fixed-size global buffer without proper length checking. This causes a stack-based buffer overflow, which can lead to memory corruption.'}, {'type': 'paragraph', 'content': 'Because the vulnerable function uses the unsafe strcpy function without verifying input length, an attacker can supply an oversized "submit-url" parameter, causing the overflow.'}, {'type': 'paragraph', 'content': 'This flaw allows remote exploitation without authentication, potentially enabling denial of service by crashing the web server or device reboot, or even arbitrary code execution with root privileges by hijacking the execution flow.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can severely impact the affected device by allowing remote attackers to cause denial of service or execute arbitrary code with root privileges.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): The attacker can crash the router's web server or cause the device to reboot, making it unavailable."}, {'type': 'list_item', 'content': "Arbitrary Code Execution: By exploiting the buffer overflow, attackers can overwrite function pointers or control structures, potentially hijacking the device's execution flow with root-level access."}, {'type': 'paragraph', 'content': 'Since the exploit is publicly available and requires no authentication, the risk of compromise is high, and no known mitigations exist other than replacing the affected product.'}] [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for abnormal crashes or reboots of the D-Link DWR-M960 router, especially related to the web server handling the WLAN Encryption Configuration Endpoint at /boafrm/formWlEncrypt.'}, {'type': 'paragraph', 'content': 'Detection can also involve sending crafted POST requests to the /boafrm/formWlEncrypt endpoint with an oversized submit-url parameter to test if the device is vulnerable, as exploitation causes the web server to crash or the device to reboot.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a POST request with parameters such as wlan_ssid_id=0, SSID_Setting=0, and an excessively long submit-url value.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (use with caution in a controlled environment):'}, {'type': 'list_item', 'content': 'curl -X POST http://[router-ip]/boafrm/formWlEncrypt -d "wlan_ssid_id=0&SSID_Setting=0&submit-url=$(python3 -c \'print("A"*1000)\')"'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for unusual POST requests to /boafrm/formWlEncrypt or unexpected device behavior can also help detect exploitation attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known mitigations or countermeasures have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': 'The recommended immediate step is to replace the affected D-Link DWR-M960 router with an alternative device to avoid the risk of exploitation.'}, {'type': 'paragraph', 'content': "Until a patch or firmware update is available, restricting network access to the router's management interface and monitoring for suspicious activity may reduce exposure."}] [1]