CVE-2026-2962
Remote Stack-Based Buffer Overflow in D-Link DWR-M960 Scheduled Reboot
Publication date: 2026-02-23
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dwr-m960_firmware | 1.01.07 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2962 is a stack-based buffer overflow vulnerability found in the D-Link DWR-M960 router, firmware version 1.01.07. It exists in the Scheduled Reboot Configuration Endpoint, specifically in the function sub_460F30 within the file /boafrm/formDateReboot.
The vulnerability arises from unsafe handling of the submit-url parameter. When a POST request includes the save_apply parameter (indicating a save operation), the function copies the submit-url string into a fixed-size global buffer named wizard_htm using the unsafe strcpy function without verifying the length of the input. This lack of bounds checking can cause a stack-based buffer overflow.
Exploitation can be performed remotely by sending a specially crafted POST request with an oversized submit-url value, leading to memory corruption.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploiting this vulnerability can have serious impacts including Denial of Service (DoS) and Arbitrary Code Execution.'}, {'type': 'list_item', 'content': "Denial of Service: Overwriting critical memory areas can crash the router's web server or cause the device to reboot unexpectedly, rendering it unreachable."}, {'type': 'list_item', 'content': 'Arbitrary Code Execution: An attacker can craft payloads to overwrite function pointers or control structures, potentially executing arbitrary code with root privileges on the device.'}, {'type': 'paragraph', 'content': 'Because the exploit can be performed remotely without local access or physical interaction, the risk is significant.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /boafrm/formDateReboot on the affected D-Link DWR-M960 router running firmware version 1.01.07.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying POST requests that include the parameter save_apply=Apply along with an unusually long or oversized submit-url parameter, which triggers the buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture network traffic and filter HTTP POST requests targeting /boafrm/formDateReboot, then inspect the submit-url parameter length.'}, {'type': 'list_item', 'content': "Use a network packet capture tool like tcpdump or Wireshark to capture traffic on the router's management interface."}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip dst <router_ip>) and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354))' "}, {'type': 'list_item', 'content': 'Alternatively, use curl or similar tools to test the endpoint by sending crafted POST requests with varying submit-url lengths to observe if the device crashes or behaves abnormally.'}, {'type': 'paragraph', 'content': 'No specific built-in commands on the device are documented for direct detection, so network traffic analysis and testing with crafted requests are the primary detection methods.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the router's management interface to untrusted networks to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no known countermeasures or patches are currently available for this vulnerability, it is recommended to replace the affected device with a secure alternative if possible.'}, {'type': 'paragraph', 'content': "If replacement is not immediately feasible, restrict access to the router's web interface using firewall rules or network segmentation to limit potential attackers."}, {'type': 'paragraph', 'content': 'Monitor the device for unusual crashes or reboots that may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Stay updated with vendor announcements or security advisories for any forthcoming patches or firmware updates addressing this issue.'}] [2]