CVE-2026-2961
Remote Stack-Based Buffer Overflow in D-Link VPN Endpoint
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2961 is a critical stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, version 1.01.07. It exists in the VPN Configuration Endpoint component, specifically in the function sub_4196C4 of the file /boafrm/formVpnConfigSetup.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper handling of the "submit-url" argument, which is copied into a fixed-size global buffer without checking its length. This unchecked use of the strcpy function allows an attacker to supply an oversized submit-url parameter that overflows the buffer, causing memory corruption.'}, {'type': 'paragraph', 'content': 'The flaw can be exploited remotely without authentication by sending a specially crafted POST request to the VPN configuration endpoint, potentially leading to denial of service or arbitrary code execution.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can have severe impacts including:
- Denial of Service (DoS) by crashing the embedded web server or causing the device to reboot unexpectedly.
- Arbitrary Code Execution by overwriting function pointers or control structures in memory, allowing an attacker to run code with root privileges.
This compromises the confidentiality, integrity, and availability of the affected device, potentially allowing attackers to take full control remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /boafrm/formVpnConfigSetup containing an oversized submit-url parameter. A proof-of-concept exploit involves sending a POST request with a large submit-url value that passes initial validation and causes the web server to crash or the device to reboot.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can capture and analyze HTTP POST traffic targeting /boafrm/formVpnConfigSetup and look for unusually large submit-url parameters.'}, {'type': 'paragraph', 'content': 'Example command using tcpdump to capture relevant traffic:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boafrm/formVpnConfigSetup'"}, {'type': 'paragraph', 'content': 'Alternatively, use tools like Wireshark to filter HTTP POST requests to /boafrm/formVpnConfigSetup and inspect the submit-url parameter size.'}, {'type': 'paragraph', 'content': 'Since the vulnerability causes the embedded web server (boa) to crash or the device to reboot unexpectedly, monitoring device stability and logs for unexpected reboots or crashes can also help detect exploitation.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known countermeasures or mitigations available for this vulnerability.
The recommended immediate step is to replace the affected D-Link DWR-M960 device running firmware version 1.01.07 with an alternative product that is not vulnerable.
Additionally, restricting network access to the vulnerable VPN configuration endpoint and monitoring for suspicious activity may help reduce exposure until replacement.