CVE-2026-4211
Awaiting Analysis Awaiting Analysis - Queue
Remote Stack-Based Buffer Overflow in D-Link Local_Backup_Info

Publication date: 2026-03-16

Last updated on: 2026-03-19

Assigner: VulDB

Description
A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this issue is the function Local_Backup_Info of the file /cgi-bin/local_backup_mgr.cgi. This manipulation of the argument f_idx causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4211
EUVD
EUVD-2026-12284
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
dlink dnr-202l_firmware to 2026-02-05 (inc)
dlink dnr-326_firmware to 2026-02-05 (inc)
dlink dns-1100-4_firmware to 2026-02-05 (inc)
dlink dns-120_firmware to 2026-02-05 (inc)
dlink dns-1200-05_firmware to 2026-02-05 (inc)
dlink dns-1550-04_firmware to 2026-02-05 (inc)
dlink dns-315l_firmware to 2026-02-05 (inc)
dlink dns-320_firmware to 2026-02-05 (inc)
dlink dns-320l_firmware to 2026-02-05 (inc)
dlink dns-320lw_firmware to 2026-02-05 (inc)
dlink dns-321_firmware to 2026-02-05 (inc)
dlink dns-322l_firmware to 2026-02-05 (inc)
dlink dns-323_firmware to 2026-02-05 (inc)
dlink dns-325_firmware to 2026-02-05 (inc)
dlink dns-326_firmware to 2026-02-05 (inc)
dlink dns-327l_firmware to 2026-02-05 (inc)
dlink dns-340l_firmware to 2026-02-05 (inc)
dlink dns-343_firmware to 2026-02-05 (inc)
dlink dns-345_firmware to 2026-02-05 (inc)
dlink dns-726-4_firmware to 2026-02-05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4211 is a critical stack-based buffer overflow vulnerability found in multiple D-Link NAS devices. It exists in the Local_Backup_Info function of the /cgi-bin/local_backup_mgr.cgi script. The vulnerability arises because the argument f_idx, which is attacker-controlled, is copied into a stack buffer without proper validation or length checks. If an attacker supplies an input longer than the buffer size, it causes a stack overflow, potentially overwriting the function's return address."}, {'type': 'paragraph', 'content': 'This flaw can be exploited remotely without authentication, allowing attackers to crash the device or execute arbitrary code. A proof-of-concept exploit is publicly available, demonstrating how sending a specially crafted POST request with an overly long f_idx parameter can trigger the overflow.'}] [1, 2, 3]

Impact Analysis

This vulnerability can severely impact affected devices by allowing remote attackers to cause denial of service or execute arbitrary code. Exploiting the stack-based buffer overflow can crash the device, making it unavailable and disrupting services.

Additionally, successful exploitation can compromise the confidentiality, integrity, and availability of the device, potentially allowing attackers to take control, manipulate data, or disrupt operations.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a specially crafted POST request to the affected device's /cgi-bin/local_backup_mgr.cgi endpoint, specifically targeting the Local_Backup_Info function with an excessively long string in the f_idx parameter."}, {'type': 'paragraph', 'content': "A proof-of-concept involves sending a POST request with a long string of 'a' characters assigned to the f_idx parameter, which causes the device to crash or behave abnormally, indicating the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Example command using curl to test for the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST http://[target-ip]/cgi-bin/local_backup_mgr.cgi -d "f_idx=$(python3 -c \'print("a"*1000)\')"'}, {'type': 'paragraph', 'content': 'If the device crashes, becomes unresponsive, or exhibits denial-of-service symptoms after this request, it is likely vulnerable.'}] [2]

Mitigation Strategies

No known mitigations or countermeasures have been identified for this vulnerability as of the disclosure date.

Due to the critical severity and ease of exploitation, the recommended immediate step is to replace the affected D-Link devices with alternative products that are not vulnerable.

Additionally, restricting network access to the affected devices, especially blocking remote access to the /cgi-bin/local_backup_mgr.cgi endpoint, may reduce exposure until replacement or patching is possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4211. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart