D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code Execution Vulnerability
Description
D-Link DIR-2640 HTTP Referer Stack-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2640-US routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within prog.cgi, which handles HNAP requests made to the lighttpd webserver listening on TCP ports 80 and 443. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-21853.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in D-Link DIR-2640 prog.cgi allows unauthenticated, network-adjacent attackers to execute arbitrary code as root.
Vulnerability
A stack-based buffer overflow vulnerability exists in the prog.cgi component of the D-Link DIR-2640-US router, which handles HNAP requests processed by the lighttpd web server on TCP ports 80 and 443. The flaw stems from improper validation of the length of user-supplied data in the HTTP Referer header before copying it to a fixed-length stack buffer [1]. All firmware versions of the DIR-2640 are affected [1].
Exploitation
An unauthenticated attacker on the same network as the target router can exploit this vulnerability by sending a specially crafted HTTP HNAP request with an oversized Referer header value [1]. No authentication or prior access is required. The attacker does not need any user interaction [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code with root privileges on the affected router [1]. This gives the attacker full control over the device, enabling them to compromise network traffic, install malware, or pivot to other systems on the network [1].
Mitigation
The vendor, D-Link, has not released a patch or advisory for this vulnerability. The affected DIR-2640 model is end-of-life and no longer supported [1]. The only recommended mitigation is to replace the router with a supported model that receives security updates [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.zerodayinitiative.com/advisories/ZDI-24-444/mitrex_research-advisory
News mentions
0No linked articles in our index yet.