CVE-2026-4181
Stack-Based Buffer Overflow in D-Link DIR-816 goahead Component
Publication date: 2026-03-16
Last updated on: 2026-04-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-816_firmware | 1.10cnb05 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4181 is a stack-based buffer overflow vulnerability found in the D-Link DIR-816 router's GoAhead web server component, specifically in the function form2RepeaterStep2.cgi."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the parameters key1, key2, key3, key4, and pskValue are accepted from an attacker without any input validation or length checks. These parameters are copied into local stack variables without bounds checking.'}, {'type': 'paragraph', 'content': "When an attacker sends excessively long input values for these parameters, it causes a stack overflow that overwrites the function's return address, enabling arbitrary code execution or causing the router to crash."}, {'type': 'paragraph', 'content': 'This flaw can be exploited remotely without authentication, making it a critical security risk.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including denial of service and remote code execution on the affected router.'}, {'type': 'list_item', 'content': 'Remote attackers can crash the router, causing it to become unresponsive and unable to provide network services.'}, {'type': 'list_item', 'content': 'Attackers may execute arbitrary code remotely, potentially taking full control of the device.'}, {'type': 'list_item', 'content': "The router's confidentiality, integrity, and availability can be compromised."}, {'type': 'list_item', 'content': 'Since the device is no longer supported by the vendor, no patches or mitigations are available, increasing the risk.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the endpoint /goform/form2RepeaterStep2.cgi containing excessively long values in the parameters key1, key2, key3, key4, or pskValue.'}, {'type': 'paragraph', 'content': "A proof-of-concept involves sending a POST request with a very long string (e.g., a long sequence of 'a' characters) in the key1 parameter, which causes the router to crash."}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts or test for the vulnerability, you can use commands such as curl to send crafted POST requests and observe the router's response or stability."}, {'type': 'list_item', 'content': 'Example command to test the vulnerability: curl -X POST -d "key1=$(python3 -c \'print("a"*1000)\')&key2=test&key3=test&key4=test&pskValue=test" http://<router-ip>/goform/form2RepeaterStep2.cgi'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for POST requests to /goform/form2RepeaterStep2.cgi with unusually large parameter values can also help detect exploitation attempts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Since the affected D-Link DIR-816 1.10CNB05 router is no longer supported by the vendor and no official patches or mitigations are available, immediate mitigation steps focus on reducing exposure.'}, {'type': 'list_item', 'content': 'Replace the vulnerable device with a supported and updated router model to eliminate the risk.'}, {'type': 'list_item', 'content': "Restrict remote access to the router's web interface, especially blocking access to the /goform/form2RepeaterStep2.cgi endpoint from untrusted networks."}, {'type': 'list_item', 'content': 'Implement network-level protections such as firewall rules or intrusion detection/prevention systems to detect and block malicious POST requests targeting this endpoint.'}, {'type': 'paragraph', 'content': 'Mitigation also involves avoiding sending or accepting excessively long input values for the parameters key1, key2, key3, key4, and pskValue, but since this requires code changes, it is not feasible without vendor support.'}] [1, 2]