CVE-2026-5211
Received Received - Intake
Remote Stack-Based Buffer Overflow in D-Link UPnP Server

Publication date: 2026-03-31

Last updated on: 2026-04-02

Assigner: VulDB

Description
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function UPnP_AV_Server_Path_Del of the file /cgi-bin/app_mgr.cgi. Executing a manipulation of the argument f_dir can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-02
Generated
2026-05-07
AI Q&A
2026-04-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5211
EUVD
EUVD-2026-17613
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
dlink dnr-202l_firmware to 2026-02-05 (inc)
dlink dnr-326_firmware to 2026-02-05 (inc)
dlink dns-1100-4_firmware to 2026-02-05 (inc)
dlink dns-120_firmware to 2026-02-05 (inc)
dlink dns-1200-05_firmware to 2026-02-05 (inc)
dlink dns-1550-04_firmware to 2026-02-05 (inc)
dlink dns-315l_firmware to 2026-02-05 (inc)
dlink dns-320_firmware to 2026-02-05 (inc)
dlink dns-320l_firmware to 2026-02-05 (inc)
dlink dns-320lw_firmware to 2026-02-05 (inc)
dlink dns-321_firmware to 2026-02-05 (inc)
dlink dns-322l_firmware to 2026-02-05 (inc)
dlink dns-323_firmware to 2026-02-05 (inc)
dlink dns-325_firmware to 2026-02-05 (inc)
dlink dns-326_firmware to 2026-02-05 (inc)
dlink dns-327l_firmware to 2026-02-05 (inc)
dlink dns-340l_firmware to 2026-02-05 (inc)
dlink dns-343_firmware to 2026-02-05 (inc)
dlink dns-345_firmware to 2026-02-05 (inc)
dlink dns-726-4_firmware to 2026-02-05 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

CVE-2026-5211 is a stack-based buffer overflow vulnerability found in certain D-Link NAS devices. It exists in the UPnP_AV_Server_Path_Del function within the /cgi-bin/app_mgr.cgi file. The vulnerability occurs because the function improperly handles the input parameter 'f_dir', which is supplied by an attacker. When an excessively long 'f_dir' value is sent, it overflows the stack buffer and overwrites the function's return address.

This flaw allows remote attackers to crash the device by sending a specially crafted POST request, potentially leading to denial of service or even arbitrary code execution.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including causing the affected D-Link device to crash and become unresponsive, resulting in a denial of service. Because the buffer overflow can overwrite the return address, it may also allow remote attackers to execute arbitrary code on the device.

Such impacts can disrupt network services relying on the device, potentially leading to downtime and loss of availability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a specially crafted POST request to the affected device's /cgi-bin/app_mgr.cgi endpoint, targeting the UPnP_AV_Server_Path_Del function with an excessively long f_dir parameter.

A proof of concept involves sending a POST request with the parameter cmd=UPnP_AV_Server_Path_Del and a very long string of repeated characters (e.g., 'a') as the value of f_dir. If the device crashes or becomes unresponsive, it indicates the presence of the vulnerability.

  • Example curl command to test the vulnerability:
  • curl -X POST http://<target-ip>/cgi-bin/app_mgr.cgi -d "cmd=UPnP_AV_Server_Path_Del&f_dir=$(python3 -c 'print("a"*1000)')"

Monitoring for crashes or unresponsiveness after sending such requests can help detect the vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the vulnerable device's management interface to trusted networks only, such as internal networks or VPNs.

Avoid exposing the /cgi-bin/app_mgr.cgi endpoint to untrusted or public networks to prevent remote exploitation.

If possible, apply any available firmware updates or patches provided by the vendor that address this vulnerability.

As a temporary measure, consider disabling UPnP services or the affected CGI functionality if the device configuration allows.

Monitor device logs and network traffic for suspicious POST requests targeting /cgi-bin/app_mgr.cgi with unusual parameters.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart