VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 31, 2022· Updated Aug 3, 2024

CVE-2022-36620

CVE-2022-36620

Description

D-link DIR-816 A2_v1.10CNB04, DIR-878 DIR_878_FW1.30B08.img is vulnerable to Buffer Overflow via /goform/addRouting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Buffer overflow in D-Link DIR-816 A2 firmware allows unauthenticated remote code execution via the /goform/addRouting handler.

Vulnerability

The D-Link DIR-816 A2 firmware versions v1.10CNB04 and v1.10CNB05 contain a stack buffer overflow vulnerability in the /goform/addRouting handler. The dest, netmask, and comment parameters are copied into stack buffers without proper size checking, allowing an attacker to overwrite adjacent memory. The vulnerability is present in firmware images such as DIR-816A2_FWv1.10CNB04.img and DIR-816A2_FWv1.10CNB05_R1B011D88210.img [1][2].

Exploitation

An unauthenticated attacker with network access to the device can exploit the vulnerability by sending a crafted HTTP POST request to /goform/addRouting. The attacker must first obtain a valid token ID by visiting /dir_login.asp and extracting the tokenid parameter. The request includes oversized strings in the dest, netmask, or comment fields (e.g., 10000 'a' characters), which triggers the overflow. The provided proof-of-concept code causes the router to crash [1][2].

Impact

Successful exploitation leads to a stack buffer overflow, which can result in denial of service (device crash) or potentially arbitrary code execution with root privileges, as the vulnerable handler runs with elevated permissions. An attacker could gain full control of the affected router [1][2].

Mitigation

As of the publication date, D-Link has not released a firmware update to address this vulnerability. The vendor's security bulletin page provides general information but no specific fix for this issue [3]. The DIR-816 A2 may be at end-of-life status; users are advised to check the EOL policy and consider replacing the device if no patch is available. No workaround has been disclosed [1][2][3].

References
  1. IOT_Vul/dlink/Dir816/addRouting/readme.md at main · z1r00/IOT_Vul
  2. VulIoT/D-Link/DIR-816 A2_v1.10CNB05/addRouting at main · 726232111/VulIoT
  3. Security Bulletin

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Dlink/DIR-816cpe-rescue2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = A2_v1.10CNB04
  • Dlink/DIR878llm-fuzzy
    Range: = DIR_878_FW1.30B08.img

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing size validation when copying user-supplied `dest`, `comment`, and `netmask` parameters into fixed-size stack buffers in the `/goform/addRouting` handler."

Attack vector

An attacker on the same LAN as the router sends a crafted HTTP POST request to `http://<router-ip>/goform/addRouting` with an oversized `dest` parameter (when `hostnet` is set to `net`) or an oversized `comment` parameter, causing a stack buffer overflow [ref_id=1]. Alternatively, the attacker can overflow via the `netmask` parameter [ref_id=2]. A valid `tokenid` (obtainable from `/dir_login.asp`) is required to authenticate the request [ref_id=1][ref_id=2]. The overflow corrupts the stack and crashes the router, and may be exploitable for arbitrary code execution.

Affected code

The vulnerability is in the `/goform/addRouting` CGI handler of the DIR-816 A2 firmware (v1.10CNB04 and v1.10CNB05). The `dest` parameter (when `hostnet` is `net`) is copied into the stack variable `v14` without size limits, and the `comment` parameter is appended to `v16` without bounds checking [ref_id=1]. Additionally, the `netmask` parameter is passed to `v3` and then written into the stack variable `v13` without size checking [ref_id=2].

What the fix does

No patch is provided in the bundle. The advisory recommends that the vendor implement proper bounds checking on the `dest`, `comment`, and `netmask` parameters before copying them into fixed-size stack buffers [ref_id=1][ref_id=2]. Without size validation, any of these parameters can overflow the stack and crash the device.

Preconditions

  • networkAttacker must be on the same LAN as the router
  • inputAttacker must obtain a valid tokenid from /dir_login.asp
  • configRouter must be running DIR-816 A2 firmware v1.10CNB04 or v1.10CNB05

Reproduction

1. Obtain a tokenid: `curl http://192.168.0.1/dir_login.asp | grep tokenid` [ref_id=1][ref_id=2] 2. Send a POST request to `/goform/addRouting` with an oversized `dest` parameter (10000 'a' characters) and `hostnet` set to `net`, or an oversized `comment` parameter (10000 'a' characters) [ref_id=1]. Alternatively, send an oversized `netmask` parameter (10000 'a' characters) [ref_id=2]. 3. The router crashes, confirming the stack overflow.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.