CVE-2026-4184
Published: 16 March 2026
Summary
CVE-2026-4184 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits the use of end-of-support products like the EOL D-Link DIR-816, directly mitigating exposure to unpatchable vulnerabilities such as CVE-2026-4184.
Requires validation of inputs like the pskValue argument to prevent stack-based buffer overflows in the vulnerable /goform/form2Wl5BasicSetup.cgi endpoint.
Implements memory protections to mitigate arbitrary code execution from stack-based buffer overflows even if invalid inputs reach the goahead component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing web CGI (/goform/form2Wl5BasicSetup.cgi) on D-Link router enables remote unauthenticated arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was detected in D-Link DIR-816 1.10CNB05. Affected by this vulnerability is an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi of the component goahead. Performing a manipulation of the argument pskValue results in stack-based buffer overflow. The attack is possible…
more
to be carried out remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-4184 is a stack-based buffer overflow vulnerability affecting the D-Link DIR-816 router on firmware version 1.10CNB05. The flaw exists in an unknown functionality of the file /goform/form2Wl5BasicSetup.cgi within the goahead component, where manipulation of the pskValue argument triggers the overflow. Published on 2026-03-16, it is associated with CWEs-119, CWE-121, and CWE-787, and carries a CVSS v3.1 base score of 9.8.
The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, authentication, or user interaction (AV:N/AC:L/PR:N/UI:N). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing full device compromise such as arbitrary code execution. An exploit is publicly available and may be used against vulnerable instances.
Advisories note that this vulnerability only affects products no longer supported by the maintainer, with no patches available. Relevant references include VulDB entries detailing the issue (vuldb.com/?ctiid.351088, vuldb.com/?id.351088, vuldb.com/?submit.769832), a GitHub repository with exploit information (github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_88/88.md), and the D-Link website (dlink.com). Mitigation requires isolating or retiring affected devices.
Details
- CWE(s)