CVE-2026-2857 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2026-2857?

CVE-2026-2857 has a CVSS score of 8.8 (HIGH). A stack-based buffer overflow vulnerability in the D-Link DWR-M960 router's port forwarding configuration endpoint allows remote attackers to execute arbitrary code. This affects D-Link DWR-M960 routers running firmware version 1.01.07. Remote exploitation is possible without authentication.

📋 TL;DR

A stack-based buffer overflow vulnerability in the D-Link DWR-M960 router's port forwarding configuration endpoint allows remote attackers to execute arbitrary code. This affects D-Link DWR-M960 routers running firmware version 1.01.07. Remote exploitation is possible without authentication.

💻 Affected Systems

Products:

D-Link DWR-M960

Versions: 1.01.07

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface's port forwarding configuration endpoint. Device must have web interface accessible.

📦 What is this software?

Dwr M960 Firmware by Dlink

View all CVEs affecting Dwr M960 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, and use as a pivot point into internal networks.

🟠

Likely Case

Remote code execution allowing attackers to install malware, create backdoors, or disrupt network services.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access or if exploit attempts are blocked by network security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires sending a specially crafted request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

Check D-Link website for firmware updates. If available, download and install via web interface: Login > Maintenance > Firmware Upgrade > Browse > Upload > Apply.

🔧 Temporary Workarounds

Disable WAN access to web interface

all

Prevent external access to the vulnerable endpoint by disabling remote administration.

Restrict access with firewall rules

all

Block external access to port 80/443 on the router's WAN interface.

🧯 If You Can't Patch

Replace affected device with a supported model
Segment network to isolate vulnerable device

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface: Login > Maintenance > Firmware Version. If version is 1.01.07, device is vulnerable.

Check Version:

curl -s http://router-ip/boafrm/firmware | grep version

Verify Fix Applied:

Verify firmware version is no longer 1.01.07 after update. Test by attempting to access /boafrm/formPortFw endpoint with monitoring for crash.

📡 Detection & Monitoring

Log Indicators:

Web server crashes
Unusual POST requests to /boafrm/formPortFw
Large payloads in HTTP requests

Network Indicators:

HTTP POST requests to /boafrm/formPortFw with oversized submit-url parameter
Traffic patterns indicating buffer overflow attempts

SIEM Query:

source="router_logs" AND (uri="/boafrm/formPortFw" AND method="POST" AND size_bytes>1000)

📊 Metadata

CVE ID: CVE-2026-2857

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: February 20, 2026

Last Updated: February 23, 2026

🔗 References

https://github.com/LX-66-LX/cve-new/issues/14 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.347096 Permissions Required,VDB Entry
https://vuldb.com/?id.347096 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.754476 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2857, you might also want to check these: