CVE-2026-7247
Buffer Overflow in D-Link DI-8100 File Extension Handler Allows Remote Exploit
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dlink | di-8100_firmware | 16.07.26a1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability (CVE-2026-7247) is a critical stack-based buffer overflow found in the D-Link DI-8100 router's file_exten.asp CGI script. It occurs in the handling of the "name" parameter during file extension configuration operations. The issue arises because the router's firmware uses an unbounded string copy function (sprintf) without validating the length of the input, which leads to stack memory corruption.
An attacker with valid administrative credentials can remotely exploit this vulnerability by sending a specially crafted HTTP POST request containing an excessively long "name" string. This overflow can overwrite critical control data such as the return address and saved frame pointer on the device's MIPS architecture, allowing arbitrary code execution.
Successful exploitation can lead to full device compromise, denial of service, or lateral movement within the network.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Full device compromise through arbitrary code execution.
- Denial of service by crashing the HTTP service, which does not restart automatically and requires a device reboot.
- Potential lateral movement within the network if the device is compromised, increasing the risk to other connected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the /file_exten.asp endpoint, specifically those containing the parameters opt=add or opt=mod with an unusually large "name" parameter value.
Detection involves checking for authenticated administrative sessions making POST requests with oversized payloads in the "name" parameter, which can be indicative of an exploit attempt.
A practical approach is to capture and analyze HTTP traffic to the device, looking for POST requests to /file_exten.asp with large "name" fields.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to /file_exten.asp.
- Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /file_exten.asp'
- Inspect captured HTTP POST payloads for the presence of opt=add or opt=mod parameters and check the length of the "name" parameter.
- Monitor device logs for crashes or HTTP service failures, which may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the administrative interface to trusted networks and users, as exploitation requires authenticated administrative sessions.
Monitor and block suspicious HTTP POST requests to /file_exten.asp with unusually large "name" parameter values.
If exploitation is suspected or detected, rebooting the affected device can temporarily restore service, as the HTTP service crashes and does not restart automatically after exploitation.
Apply any available firmware updates or patches from the vendor addressing this vulnerability once they become available.
Consider implementing network-level protections such as web application firewalls (WAF) to detect and block malicious payloads targeting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote authenticated attackers to execute arbitrary code on the affected device, potentially leading to full device compromise, denial of service, or lateral network movement.
Such a compromise could result in unauthorized access to sensitive data or disruption of services, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and health information.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.