CVE-2026-8260
Buffer Overflow in D-Link DCS-935L HNAP Service
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| d-link | dcs-935l | to 1.10.01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8260 is a stack-based buffer overflow vulnerability found in the D-Link DCS-935L firmware's HNAP service handler, specifically in the function SetDeviceSettings within /web/cgi-bin/hnap/hnap_service.
The vulnerability arises from improper length validation in the AESDecrypt function and its underlying decoding function. An attacker can exploit this by sending a specially crafted malicious XML request containing a long hexadecimal string in the AdminPassword field.
This triggers a buffer overflow that allows remote code execution (RCE) with root privileges, enabling the attacker to hijack the device's execution flow.
Exploitation requires prior login to obtain web administrator privileges but escalates to full OS-level control.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability can lead to several severe impacts:
- Remote code execution with root privileges on the affected device.
- Creation of persistent backdoors that allow continued unauthorized access.
- Lateral movement within the network, potentially compromising other connected systems.
- Turning the device into a botnet node used for distributed denial-of-service (DDoS) attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for malicious XML requests sent to the HNAP service of the D-Link DCS-935L device, specifically targeting the AdminPassword field with unusually long hexadecimal strings.
Detection involves inspecting network traffic for crafted XML payloads that contain hex-encoded data in the AdminPassword argument, which is indicative of an exploit attempt.
While no specific commands are provided, network administrators can use tools like Wireshark or tcpdump to capture HTTP POST requests to the /web/cgi-bin/hnap/hnap_service endpoint and filter for suspiciously long AdminPassword fields.
Additionally, checking device logs for repeated failed or unusual administrative login attempts or unexpected behavior in the HNAP service may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the HNAP service, especially limiting administrative login capabilities to trusted networks or IP addresses.
Ensure that only authorized users can access the web administration interface, as exploitation requires prior login with web administrator privileges.
Monitor and block suspicious XML payloads targeting the AdminPassword field to prevent buffer overflow attempts.
If available, apply firmware updates or patches provided by the vendor to fix the vulnerability.
As a temporary measure, consider disabling the HNAP service if it is not essential for device operation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the D-Link DCS-935L allows remote code execution with root privileges after prior login, potentially leading to persistent backdoors, lateral movement within networks, and the device being used as a botnet node. Such unauthorized access and control over the device can result in compromise of sensitive data and network integrity.
This level of compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, secure device management, and prevention of unauthorized access. Exploitation of this vulnerability could lead to data breaches or unauthorized data processing, thereby violating these regulations.