CVE-2026-2882, a high-severity stack-based buffer overflow vulnerability in D-Link’s DWR-M960 4G/5G router running firmware version 1.01.07. Rated 8.8/10 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A: H), this flaw enables remote code execution (RCE) with minimal privileges, posing an urgent threat to home and small-business networks worldwide.
The vulnerability resides in the sub_46385C function within the /boafrm/formDosCfg endpoint, part of the router’s web management interface. By manipulating the submit-url argument, attackers can trigger a stack-based buffer overflow (CWE-121).
No user interaction is required, and exploitation is feasible over the network with low-privilege access, such as a valid login credential. A proof-of-concept (PoC) exploit is already public, as detailed in VulDB’s advisory (ID 347176) and a GitHub issue from researcher LX-66-LX.
Published on February 21, 2026, the CVE carries an exploitation status of “Proof-of-concept” (E:P), with no known wild exploits yet, but a high risk of automated attacks.
| CVE ID | Score | CWE | Vendor | Version | Product |
|---|---|---|---|---|---|
| CVE-2026-2882 | 8.8 | CWE-121 (Stack-based Buffer Overflow) | D-Link | 1.01.07 | DWR-M960 |
The vector underscores its potency: network-accessible, low-complexity, and with privileges limited to basic authentication. Successful exploitation grants attackers high-impact control over the device’s confidentiality, integrity, and availability.
Critical Flaw in D-Link DWR-M960 Router
D-Link DWR-M960 routers, popular for their portable 4G/5G connectivity in remote offices and consumer setups, expose this flaw via the Boa web server, which handles form submissions.
The overflow occurs when the submit-url parameter exceeds buffer bounds, overwriting the stack and allowing arbitrary code injection. Reverse-engineering reveals the function lacks bounds checking, making it a classic pre-auth RCE vector if management interfaces face the WAN.
Risk analysis flags this as “high risk” for RCE. Attackers could pivot to intercept traffic, spoof DNS responses, manipulate routing tables, or laterally traverse connected networks. Home users with UPnP or exposed admin panels are prime targets; small businesses often deploy these at network edges without segmentation.
The most likely vector: an attacker scans for exposed DWR-M960 instances (via Shodan or similar), guesses weak credentials, and submits a crafted submit-url payload to /boafrm/formDosCfg. No UI nudge needed, purely remote. Exposed groups include consumers in regions with lax firmware update policies and SMBs that rely on default configurations.
Detection hinges on logs: watch for anomalous submit-url lengths, device crashes tied to Boa processes, or spikes in outbound C2 traffic. IDS rules could sign PoC patterns from VulDB’s CTI feed.
Mitigations and Vendor Response
D-Link’s site (dlink.com) lacks a patch as of this writing; users must monitor for firmware updates and verify signatures post-install. Immediate steps:
- Disable WAN-facing remote management; bind to LAN only.
- Enforce VLAN segmentation and firewall rules blocking unsolicited HTTP to port 80/443.
- Enable verbose logging; hunt for overflows via kernel panics or Boa errors.
- Prioritize if EPSS ≥ 0.5 or KEV-listed; treat as P1 with 48-hour patch windows.
Site: cybersecuritypath.com
Reference: Source
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
.webp "Cal.com’s Access Control Mess: How It Let Attackers Hijack Accounts and Dump Millions of Bookings")
