CVE-2026-4486
Received Received - Intake
Stack-Based Buffer Overflow in D-Link DIR-513 Web Service

Publication date: 2026-03-20

Last updated on: 2026-04-03

Assigner: VulDB

Description
A vulnerability was found in D-Link DIR-513 1.10. This affects the function formEasySetPassword of the file /goform/formEasySetPassword of the component Web Service. The manipulation of the argument curTime results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4486
EUVD
EUVD-2026-13702
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-513_firmware 1.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability exists in the D-Link DIR-513 router\'s web service, specifically in the formEasySetPassword function. It arises from improper handling of the curTime parameter in an HTTP POST request, where the input is not properly validated for length. When the language parameter is set to a value other than "SC" or "TW", an unsafe sprintf call concatenates the curTime string into a fixed-size 104-byte stack buffer without bounds checking. An attacker can send an excessively long curTime value, causing a stack-based buffer overflow that overwrites the return address on the stack.'}, {'type': 'paragraph', 'content': 'This overflow can lead to denial of service (DoS) or remote code execution (RCE) on the device. The vulnerability can be exploited remotely by sending a crafted HTTP POST request to the /goform/formEasySetPassword endpoint with a large payload in curTime and language set to "EN".'}] [1]

Compliance Impact

I don't know

Impact Analysis

Exploitation of this vulnerability can allow an attacker to cause a denial of service (DoS) or execute arbitrary code remotely on the affected D-Link DIR-513 router. This means the attacker could potentially take control of the device, disrupt its normal operation, or use it as a foothold for further attacks within the network.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests sent to the /goform/formEasySetPassword endpoint on the D-Link DIR-513 device.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying requests where the "curTime" parameter contains an abnormally long value, and the "language" parameter is set to a value other than "SC" or "TW" (e.g., "EN").'}, {'type': 'paragraph', 'content': 'A practical approach is to use network traffic inspection tools or Web Application Firewalls (WAF) to flag or block such suspicious requests.'}, {'type': 'paragraph', 'content': 'For command-line detection, you can use tools like tcpdump or tshark to capture and filter HTTP POST requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/formEasySetPassword'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" and http.request.uri contains "/goform/formEasySetPassword"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'You can then inspect the captured POST data for unusually long "curTime" parameter values and check the "language" parameter.'}, {'type': 'paragraph', 'content': 'Additionally, the provided Python proof-of-concept script (Resource 2) demonstrates how an exploit payload is constructed and sent, which can be adapted for detection by sending test requests or analyzing logs for similar patterns.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing input validation to restrict the length of the "curTime" parameter to a safe maximum (e.g., 60 bytes) to prevent buffer overflow.'}, {'type': 'paragraph', 'content': 'Deploy Web Application Firewalls (WAF) or traffic monitoring solutions to block or alert on HTTP POST requests targeting /goform/formEasySetPassword with abnormally long "curTime" values and language parameters other than "SC" or "TW".'}, {'type': 'paragraph', 'content': 'Since the affected products are no longer supported by the maintainer, official firmware patches may not be available. However, the recommended code fix is to replace the unsafe sprintf call with a bounds-checked function like snprintf to prevent overflow.'}, {'type': 'paragraph', 'content': 'If possible, consider isolating or removing the vulnerable device from critical network segments to reduce exposure.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart