Cyber Resilience

CVE-2026-7851

HighPublic PoC

Published: 05 May 2026

Published
05 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 37.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7851 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Dlink Di-8100 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-7851 is a stack-based buffer overflow vulnerability affecting the D-Link DI-8100 router on firmware version 16.07.26A1. The flaw exists in the sprintf function within the yyxz.asp file, where manipulation of the ID argument triggers the overflow. It is remotely exploitable and has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), mapped to CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

An authenticated attacker with high privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation leads to high impacts on confidentiality, integrity, and availability, enabling potential full system compromise such as arbitrary code execution or denial of service. A public exploit is available and might be used.

Advisories and technical details are documented in references including a GitHub proof-of-concept report at https://github.com/draw-ctf/report/blob/main/DI-8100/yyxz_dlink_asp_overflow.md and VULDB entries at https://vuldb.com/vuln/361128. The D-Link website (https://www.dlink.com/) is also referenced for further information, though specific patch or mitigation guidance is not detailed in the available data.

EU & UK References

Vulnerability details

A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is…

more

publicly available and might be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in public-facing web interface (yyxz.asp) directly enables remote exploitation of an Internet-facing application for RCE/DoS on the router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-7762Same product: Dlink Di-8100
CVE-2025-7911Same product: Dlink Di-8100
CVE-2025-7908Same product: Dlink Di-8100
CVE-2025-7790Same product: Dlink Di-8100
CVE-2026-7857Same product: Dlink Di-8100
CVE-2026-7853Same product: Dlink Di-8100
CVE-2026-7854Same product: Dlink Di-8100
CVE-2026-7248Same product: Dlink Di-8100
CVE-2026-7247Same product: Dlink Di-8100
CVE-2026-7856Same product: Dlink Di-8100

Affected Assets

dlink
di-8100 firmware
16.07.26a1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of the ID argument supplied to yyxz.asp, blocking the malformed input that triggers the sprintf stack overflow.

prevent

Requires hardware or software memory-protection mechanisms that can render stack-based buffer overflows non-exploitable even if input validation fails.

prevent

Mandates prompt identification and remediation of the publicly disclosed flaw in the D-Link firmware's yy.asp sprintf handling.

References