CVE-2026-2857
Published: 20 February 2026
Summary
CVE-2026-2857 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M960 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflow by validating the manipulated submit-url argument before processing in the port forwarding endpoint.
Implements memory protections like stack canaries and non-executable stacks to mitigate exploitation of the stack-based buffer overflow.
Ensures timely remediation of the specific buffer overflow flaw in the D-Link router firmware through identification, reporting, and patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the remotely accessible web form handler (/boafrm/formPortFw) on a network device directly enables remote code execution against a public-facing application.
NVD Description
A vulnerability was determined in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_423E00 of the file /boafrm/formPortFw of the component Port Forwarding Configuration Endpoint. This manipulation of the argument submit-url causes stack-based buffer overflow. Remote exploitation of…
more
the attack is possible. The exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-2857 is a stack-based buffer overflow vulnerability affecting the D-Link DWR-M960 router on firmware version 1.01.07. The flaw resides in the function sub_423E00 within the file /boafrm/formPortFw of the Port Forwarding Configuration Endpoint. It is triggered by manipulation of the submit-url argument, as classified under CWE-119 and CWE-121.
Attackers can exploit this vulnerability remotely with low privileges (PR:L), requiring network access and low complexity but no user interaction. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates high impacts on confidentiality, integrity, and availability, potentially enabling full compromise of the affected device.
References include a GitHub issue at https://github.com/LX-66-LX/cve-new/issues/14 detailing the vulnerability and exploit, VulDB entries at https://vuldb.com/?ctiid.347096, https://vuldb.com/?id.347096, and https://vuldb.com/?submit.754476, and the D-Link website at https://www.dlink.com/. The exploit has been publicly disclosed and may be utilized.
Details
- CWE(s)