CVE-2026-8260
Undergoing Analysis Undergoing Analysis - In Progress
Buffer Overflow in D-Link DCS-935L HNAP Service

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A vulnerability was found in D-Link DCS-935L up to 1.10.01. The impacted element is the function SetDeviceSettings of the file /web/cgi-bin/hnap/hnap_service of the component HNAP Service. The manipulation of the argument AdminPassword results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8260
EUVD
EUVD-2026-29016
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
d-link dcs-935l to 1.10.01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8260 is a stack-based buffer overflow vulnerability found in the D-Link DCS-935L firmware's HNAP service handler, specifically in the function SetDeviceSettings within /web/cgi-bin/hnap/hnap_service.

The vulnerability arises from improper length validation in the AESDecrypt function and its underlying decoding function. An attacker can exploit this by sending a specially crafted malicious XML request containing a long hexadecimal string in the AdminPassword field.

This triggers a buffer overflow that allows remote code execution (RCE) with root privileges, enabling the attacker to hijack the device's execution flow.

Exploitation requires prior login to obtain web administrator privileges but escalates to full OS-level control.

Impact Analysis

Successful exploitation of this vulnerability can lead to several severe impacts:

  • Remote code execution with root privileges on the affected device.
  • Creation of persistent backdoors that allow continued unauthorized access.
  • Lateral movement within the network, potentially compromising other connected systems.
  • Turning the device into a botnet node used for distributed denial-of-service (DDoS) attacks.
Detection Guidance

This vulnerability can be detected by monitoring for malicious XML requests sent to the HNAP service of the D-Link DCS-935L device, specifically targeting the AdminPassword field with unusually long hexadecimal strings.

Detection involves inspecting network traffic for crafted XML payloads that contain hex-encoded data in the AdminPassword argument, which is indicative of an exploit attempt.

While no specific commands are provided, network administrators can use tools like Wireshark or tcpdump to capture HTTP POST requests to the /web/cgi-bin/hnap/hnap_service endpoint and filter for suspiciously long AdminPassword fields.

Additionally, checking device logs for repeated failed or unusual administrative login attempts or unexpected behavior in the HNAP service may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the HNAP service, especially limiting administrative login capabilities to trusted networks or IP addresses.

Ensure that only authorized users can access the web administration interface, as exploitation requires prior login with web administrator privileges.

Monitor and block suspicious XML payloads targeting the AdminPassword field to prevent buffer overflow attempts.

If available, apply firmware updates or patches provided by the vendor to fix the vulnerability.

As a temporary measure, consider disabling the HNAP service if it is not essential for device operation.

Compliance Impact

The vulnerability in the D-Link DCS-935L allows remote code execution with root privileges after prior login, potentially leading to persistent backdoors, lateral movement within networks, and the device being used as a botnet node. Such unauthorized access and control over the device can result in compromise of sensitive data and network integrity.

This level of compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, secure device management, and prevention of unauthorized access. Exploitation of this vulnerability could lead to data breaches or unauthorized data processing, thereby violating these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart