CVE-2026-2959
Stack-Based Buffer Overflow in D-Link DWR-M960 Remote Exploitable
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2959 is a critical stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, version 1.01.07. The flaw exists in the function sub_44E0F8 within the file /boafrm/formNewSchedule. It is triggered by manipulating the "submit-url" parameter with crafted input during a save operation, causing a stack-based buffer overflow due to the unsafe use of strcpy without validating input length.'}, {'type': 'paragraph', 'content': 'This vulnerability allows an attacker to remotely exploit the device without authentication by sending a specially crafted POST request to the WLAN Schedule configuration endpoint. The overflow can lead to memory corruption, potentially enabling arbitrary code execution or denial of service.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can impact the confidentiality, integrity, and availability of the affected device.
- Denial of Service (DoS) by crashing the web server or rebooting the device, making the router unreachable.
- Potential arbitrary code execution by overwriting function pointers or control structures, allowing an attacker to execute code with root privileges.
Because the exploit is remotely accessible without authentication and a public proof-of-concept is available, the risk of compromise is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /boafrm/formNewSchedule on the D-Link DWR-M960 router running firmware version 1.01.07.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying POST requests that include the parameter save_apply set and an oversized submit-url parameter, which triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A proof of concept involves sending a crafted POST request with these parameters, which causes the web server to crash or the device to reboot.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network, you can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to filter HTTP POST requests to /boafrm/formNewSchedule.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formNewSchedule'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint manually by sending POST requests with varying submit-url lengths to observe abnormal behavior.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'There are no known countermeasures or official patches available for this vulnerability as of now.'}, {'type': 'paragraph', 'content': 'The recommended immediate mitigation is to replace the affected D-Link DWR-M960 device with an alternative product that is not vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, you should restrict access to the router's management interface from untrusted networks to reduce the risk of remote exploitation."}, {'type': 'paragraph', 'content': 'Monitoring network traffic for exploitation attempts and disabling remote management features if possible can also help mitigate risk.'}] [1]