CVE-2026-4181
Published: 16 March 2026
Summary
CVE-2026-4181 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of unsupported end-of-life system components like the D-Link DIR-816 firmware with no patches available for this buffer overflow vulnerability.
Validates manipulated arguments such as key1, key2, key3, key4, and pskValue to prevent stack-based buffer overflows in the vulnerable CGI script.
Implements memory protections like stack canaries and non-executable memory to mitigate arbitrary code execution from the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated stack-based buffer overflow in a public-facing web server CGI script on a router, directly enabling arbitrary code execution via exploitation of a public-facing application.
NVD Description
A security flaw has been discovered in D-Link DIR-816 1.10CNB05. This affects an unknown function of the file /goform/form2RepeaterStep2.cgi of the component goahead. The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow. The attack may be launched remotely.…
more
The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-4181 is a stack-based buffer overflow vulnerability affecting the D-Link DIR-816 router on firmware version 1.10CNB05. The issue resides in an unknown function of the file /goform/form2RepeaterStep2.cgi within the goahead web server component. It is triggered by remote manipulation of the arguments key1, key2, key3, key4, and pskValue, as associated with CWE-119, CWE-121, and CWE-787.
The vulnerability enables remote exploitation by unauthenticated attackers with no privileges required and no user interaction needed, earning a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Attackers can achieve high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution on the device. A public exploit has been released.
Affected products are no longer supported by the maintainer, with no patches available. Advisories on VulDB detail the issue and submission, while a GitHub repository provides exploit documentation. The D-Link website is referenced but offers no specific mitigation for this end-of-life firmware; practitioners should prioritize network isolation, replacement, or decommissioning of vulnerable devices.
Details
- CWE(s)