CVE-2026-4184
Remote Stack-Based Buffer Overflow in D-Link DIR-816 goahead Component
Publication date: 2026-03-16
Last updated on: 2026-03-19
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-816_firmware | 1.10cnb05 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4184 is a stack-based buffer overflow vulnerability in the GoAhead web server component of the D-Link DIR-816 router, firmware version 1.10CNB05.'}, {'type': 'paragraph', 'content': 'The flaw occurs in the CGI function form2Wl5BasicSetup.cgi, specifically in the handling of the pskValue parameter. This parameter is taken from an HTTP POST request and copied into a local stack variable without any input length validation.'}, {'type': 'paragraph', 'content': "If an attacker supplies an excessively long pskValue, it overwrites the function's return address on the stack, causing a buffer overflow that can lead to arbitrary code execution or a crash of the router's server."}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without authentication by sending a crafted HTTP POST request to the vulnerable CGI endpoint.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts on the affected device and its users.
- Remote attackers can exploit the flaw without authentication.
- Successful exploitation can lead to arbitrary code execution, allowing attackers to take control of the router.
- The router can crash and become unresponsive, causing denial of service and disruption of network connectivity.
- Confidentiality, integrity, and availability of the device and network traffic can be compromised.
- Since the affected product is no longer supported by the vendor, no official patches or mitigations are available, increasing the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a crafted HTTP POST request to the vulnerable endpoint /goform/form2Wl5BasicSetup.cgi with an excessively long pskValue parameter. A proof-of-concept involves sending a POST request where pskValue consists of repeated characters (e.g., 'a') to trigger the stack-based buffer overflow."}, {'type': 'paragraph', 'content': 'A simple detection command using curl could be:'}, {'type': 'list_item', 'content': 'curl -X POST http://<router-ip>/goform/form2Wl5BasicSetup.cgi -d "pskValue=$(python3 -c \'print("a"*1000)\')"'}, {'type': 'paragraph', 'content': 'If the router crashes or becomes unresponsive after this request, it indicates the presence of the vulnerability.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Since the affected product (D-Link DIR-816 1.10CNB05) is no longer supported by the vendor and no known countermeasures or patches are available, the recommended immediate mitigation is to replace the vulnerable device with a supported and updated model.'}, {'type': 'paragraph', 'content': "Additionally, to reduce risk, restrict remote access to the router's management interface to trusted networks only, and monitor for suspicious POST requests to /goform/form2Wl5BasicSetup.cgi."}, {'type': 'paragraph', 'content': 'Implementing strict input validation and length checks on the pskValue parameter is recommended in theory, but this requires vendor action or custom firmware modifications.'}] [1, 2]