CVE-2026-7068
Published: 27 April 2026
Summary
CVE-2026-7068 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Notion (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits use of end-of-support system components like the vulnerable D-Link DIR-825 firmware 3.00b32, directly preventing deployment of unpatchable devices.
Requires timely remediation of identified flaws such as this buffer overflow, mandating replacement or isolation of affected unsupported routers since no vendor patch exists.
Enforces boundary protection to monitor and control network traffic, blocking specially crafted NetBIOS packets from adjacent network attackers targeting the nmbd service.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in NetBIOS Name Service (nmbd) on router allows remote unauthenticated arbitrary code execution from adjacent network, directly enabling exploitation of remote services.
NVD Description
A vulnerability was identified in D-Link DIR-825 3.00b32. This affects the function NMBD_process of the file sserver.c of the component nmbd. Such manipulation leads to buffer overflow. The attack can only be initiated within the local network. The exploit is…
more
publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-7068 is a stack-based buffer overflow vulnerability in the NMBD_process function within the sserver.c file of the nmbd component on D-Link DIR-825 routers running firmware version 3.00b32. This flaw, associated with CWE-119 and CWE-120, allows remote attackers to trigger the overflow by sending specially crafted packets to the NetBIOS Name Service. The vulnerability carries a CVSS v3.1 base score of 8.8, reflecting its high severity due to the potential for significant impact.
Attackers on the adjacent network (AV:A) can exploit this vulnerability without authentication (PR:N) or user interaction (UI:N), leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation could enable arbitrary code execution, potentially allowing full compromise of the affected router, such as data theft, modification of configurations, or denial of service.
Advisories from sources like VULDB and a detailed Notion page confirm the exploit is publicly available and note that only end-of-support D-Link DIR-825 devices are affected, with no patches or updates provided by the vendor. The official D-Link website provides general product information but no specific mitigation for this issue.
In notable context, the public availability of the exploit increases the risk of real-world abuse against legacy, unsupported routers still in use on local networks.
Details
- CWE(s)