CVE-2026-4486
Stack-Based Buffer Overflow in D-Link DIR-513 Web Service
Publication date: 2026-03-20
Last updated on: 2026-04-03
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | dir-513_firmware | 1.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in the D-Link DIR-513 router\'s web service, specifically in the formEasySetPassword function. It arises from improper handling of the curTime parameter in an HTTP POST request, where the input is not properly validated for length. When the language parameter is set to a value other than "SC" or "TW", an unsafe sprintf call concatenates the curTime string into a fixed-size 104-byte stack buffer without bounds checking. An attacker can send an excessively long curTime value, causing a stack-based buffer overflow that overwrites the return address on the stack.'}, {'type': 'paragraph', 'content': 'This overflow can lead to denial of service (DoS) or remote code execution (RCE) on the device. The vulnerability can be exploited remotely by sending a crafted HTTP POST request to the /goform/formEasySetPassword endpoint with a large payload in curTime and language set to "EN".'}] [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to cause a denial of service (DoS) or execute arbitrary code remotely on the affected D-Link DIR-513 router. This means the attacker could potentially take control of the device, disrupt its normal operation, or use it as a foothold for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests sent to the /goform/formEasySetPassword endpoint on the D-Link DIR-513 device.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying requests where the "curTime" parameter contains an abnormally long value, and the "language" parameter is set to a value other than "SC" or "TW" (e.g., "EN").'}, {'type': 'paragraph', 'content': 'A practical approach is to use network traffic inspection tools or Web Application Firewalls (WAF) to flag or block such suspicious requests.'}, {'type': 'paragraph', 'content': 'For command-line detection, you can use tools like tcpdump or tshark to capture and filter HTTP POST requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/formEasySetPassword'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" and http.request.uri contains "/goform/formEasySetPassword"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'You can then inspect the captured POST data for unusually long "curTime" parameter values and check the "language" parameter.'}, {'type': 'paragraph', 'content': 'Additionally, the provided Python proof-of-concept script (Resource 2) demonstrates how an exploit payload is constructed and sent, which can be adapted for detection by sending test requests or analyzing logs for similar patterns.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing input validation to restrict the length of the "curTime" parameter to a safe maximum (e.g., 60 bytes) to prevent buffer overflow.'}, {'type': 'paragraph', 'content': 'Deploy Web Application Firewalls (WAF) or traffic monitoring solutions to block or alert on HTTP POST requests targeting /goform/formEasySetPassword with abnormally long "curTime" values and language parameters other than "SC" or "TW".'}, {'type': 'paragraph', 'content': 'Since the affected products are no longer supported by the maintainer, official firmware patches may not be available. However, the recommended code fix is to replace the unsafe sprintf call with a bounds-checked function like snprintf to prevent overflow.'}, {'type': 'paragraph', 'content': 'If possible, consider isolating or removing the vulnerable device from critical network segments to reduce exposure.'}] [1]