CVE-2026-2881
Published: 21 February 2026
Summary
CVE-2026-2881 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M960 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the stack-based buffer overflow by validating the length and format of the manipulated submit-url argument in the Advanced Firewall Configuration Endpoint.
Mitigates exploitation of the stack-based buffer overflow through mechanisms like stack canaries, ASLR, and non-executable stack protections.
Addresses the vulnerability comprehensively by requiring timely flaw remediation through firmware updates for the affected D-Link DWR-M960 version 1.01.07.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in public web endpoint (/boafrm/formFirewallAdv) with authenticated low-priv remote access enables RCE and privilege escalation on the device.
NVD Description
A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_425FF8 of the file /boafrm/formFirewallAdv of the component Advanced Firewall Configuration Endpoint. Such manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may…
more
be launched remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2026-2881 is a stack-based buffer overflow vulnerability in D-Link DWR-M960 firmware version 1.01.07. It affects the function sub_425FF8 in the file /boafrm/formFirewallAdv of the Advanced Firewall Configuration Endpoint, triggered by manipulation of the submit-url argument.
The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), requiring network access (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 8.8. It maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a publicly disclosed exploit available for use.
Advisories referenced in VulDB entries (ctiid.347175, id.347175, submit.754486) and a GitHub issue (LX-66-LX/cve-new/issues/15) detail the vulnerability and exploit disclosure. The D-Link website (dlink.com) is listed among references for further information, though specific patch details are not provided in available data.
Details
- CWE(s)