CVE-2026-2927
Published: 22 February 2026
Summary
CVE-2026-2927 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dwr-M960 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of inputs like the submit-url argument to prevent stack-based buffer overflows in the Operation Mode Configuration Endpoint.
Enforces memory protection mechanisms such as stack canaries, address space layout randomization, and non-executable stacks to mitigate exploitation of stack-based buffer overflows.
Mandates timely flaw remediation by applying vendor patches for known vulnerabilities like CVE-2026-2927 in D-Link DWR-M960 firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's public web configuration endpoint (formOpMode) is directly exploitable over the network by an authenticated user, enabling T1190 for initial access and full device compromise.
NVD Description
A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_462590 of the file /boafrm/formOpMode of the component Operation Mode Configuration Endpoint. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may…
more
be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2026-2927 is a stack-based buffer overflow vulnerability affecting the D-Link DWR-M960 router running firmware version 1.01.07. The issue resides in the function sub_462590 within the file /boafrm/formOpMode of the Operation Mode Configuration Endpoint. It is triggered by manipulating the submit-url argument, and is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, requiring low attack complexity and no user interaction. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full compromise of the affected device. An exploit has been publicly disclosed and may be used by attackers.
Advisories and additional details are available from sources including VulDB (ctiid.347274, id.347274, submit.754499), a GitHub issue at LX-66-LX/cve-new/issues/22, and the D-Link website. Security practitioners should review these references for any recommended mitigations, patches, or workarounds.
Details
- CWE(s)