CVE-2026-2960
Remote Stack-Based Buffer Overflow in D-Link DWR-M960 DHCPv6 Function
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2960 is a critical stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, version 1.01.07. The flaw exists in the function sub_468D64 within the file /boafrm/formDhcpv6s, which handles the IPv6 DHCP server configuration.'}, {'type': 'paragraph', 'content': 'The vulnerability is triggered by manipulating the "submit-url" argument in an HTTP request, specifically when the "save_apply" parameter is present. The function copies the content of "submit-url" into a fixed-size global buffer named wizard_htm using the unsafe strcpy function without checking the length of the input.'}, {'type': 'paragraph', 'content': 'Because there is no bounds checking, an attacker can supply an excessively long string that overflows the buffer on the stack, causing memory corruption. This can be exploited remotely without local access or physical interaction.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to several severe impacts on the affected device.
- Denial of Service (DoS) by crashing the web server (boa) or rebooting the device, making the router unreachable.
- Potential arbitrary code execution by overwriting function pointers or control structures, allowing an attacker to hijack execution flow with root privileges.
- Compromise of confidentiality, integrity, and availability of the device.
Since the exploit is publicly available and can be executed remotely, the risk of attack is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual crashes or reboots of the D-Link DWR-M960 router, especially the hardware revision B1 running firmware version 1.01.07. Since the exploit involves sending a crafted HTTP POST request to the endpoint /boafrm/formDhcpv6s with the parameters save_apply=Apply and an excessively long submit-url parameter, detection can focus on identifying such suspicious HTTP requests.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze HTTP traffic to the router, looking for POST requests to /boafrm/formDhcpv6s containing the save_apply parameter and unusually long submit-url values.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts could include using network packet capture tools like tcpdump or tshark to filter HTTP POST requests to the vulnerable endpoint:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formDhcpv6s'"}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y \'http.request.method == "POST" and http.request.uri contains "/boafrm/formDhcpv6s"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Additionally, monitoring router logs for crashes or service restarts of the web server (boa) can indicate exploitation attempts.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, no known countermeasures or mitigations have been identified for this vulnerability. The safest immediate step is to replace the affected product, the D-Link DWR-M960 router with firmware version 1.01.07, to avoid exploitation.'}, {'type': 'paragraph', 'content': "As a temporary measure, restricting access to the router's web management interface from untrusted networks can reduce the risk of remote exploitation."}, {'type': 'paragraph', 'content': 'Monitoring network traffic for suspicious POST requests to /boafrm/formDhcpv6s and promptly responding to any detected exploitation attempts is also recommended.'}] [1]