CVE-2026-4211
Published: 16 March 2026
Summary
CVE-2026-4211 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Dnr-202L Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation of the stack-based buffer overflow flaw through vendor firmware patches beyond version 20260205.
Prevents exploitation of the vulnerability by enforcing validation of the f_idx argument in the local_backup_mgr.cgi script to block stack buffer overflows.
Mitigates stack-based buffer overflow attacks through memory protections like stack canaries and non-executable stacks on affected D-Link NAS devices.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing /cgi-bin/local_backup_mgr.cgi CGI endpoint on D-Link NAS devices enables remote exploitation for arbitrary code execution (CVSS AV:N/PR:L).
NVD Description
A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected by this issue is the function Local_Backup_Info of…
more
the file /cgi-bin/local_backup_mgr.cgi. This manipulation of the argument f_idx causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-4211 is a stack-based buffer overflow vulnerability affecting the Local_Backup_Info function in the /cgi-bin/local_backup_mgr.cgi file across multiple D-Link Network Attached Storage (NAS) devices. The impacted models include DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04, with firmware versions up to 20260205. The flaw arises from manipulation of the f_idx argument and is classified under CWE-119, CWE-121, and CWE-787.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It can be exploited remotely by attackers who possess low privileges (PR:L), requiring no user interaction. Successful exploitation enables high-impact outcomes, including arbitrary code execution that compromises confidentiality, integrity, and availability of the affected NAS device.
Advisories referenced in VulDB entries (ctiid.351122, id.351122, submit.770441) and a GitHub repository (wudipjq/my_vuln/blob/main/D-Link8/vuln_160/160.md) provide details on the vulnerability and a publicly available exploit. The D-Link website (dlink.com) is also listed as a reference, where practitioners should verify firmware updates beyond 20260205 for mitigation.
Notable context includes the public availability of an exploit, increasing the risk of real-world attacks against unpatched devices.
Details
- CWE(s)