VYPR
← All advisories
High severity8.8NVD Advisory· Published Jun 1, 2026

CVE-2026-10206

CVE-2026-10206

Description

D-Link DI-8400 routers running firmware ≤16.07.26A1 contain a stack-based buffer overflow in /dbsrv.asp via the str parameter, allowing remote pre-auth RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

D-Link DI-8400 routers running firmware ≤16.07.26A1 contain a stack-based buffer overflow in /dbsrv.asp via the str parameter, allowing remote pre-auth RCE.

Vulnerability

A stack-based buffer overflow vulnerability exists in D-Link DI-8400 routers running firmware versions up to and including 16.07.26A1. The flaw resides in the file /dbsrv.asp, which processes the str POST parameter. When the value of src is not empty, the function calls strcpy without bound checking, leading to a buffer overflow on the stack. The vulnerability was discovered by a researcher who noted the parameter name str, though the advisory initially mentioned contradicting parameter names [2].

Exploitation

An attacker can exploit this vulnerability remotely without any authentication. The attack involves sending a specially crafted HTTP POST request to /dbsrv.asp with an overly long str parameter value that overflows the stack buffer. The public proof-of-concept shows the request with a large string of 'a', 'b', and 'h' characters, overwriting adjacent memory locations. No user interaction is required, and no special network position is needed beyond reachability to the router's web interface [2].

Impact

Successful exploitation can result in a denial of service (DoS) condition or arbitrary command execution on the affected router. The overflow corrupts the stack, allowing an attacker to control return addresses or function pointers, potentially gaining full remote code execution with root privileges on the device. This compromises all three security objectives (confidentiality, integrity, and availability) [2].

Mitigation

As of the publication date (2026-06-01), D-Link has not released a firmware update to address this vulnerability. The affected product, DI-8400 with firmware ≤16.07.26A1, may be end-of-life or no longer supported; users should check the vendor's support page [1]. The only mitigation is to restrict access to the router's management interface to trusted networks only, or replace the device if no fix becomes available. A public exploit exists [2], increasing the urgency for action.

References
  1. Landing
  2. dlink-di8400-vuln/dlink-di8400-vuln at main · 666324/dlink-di8400-vuln

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds checking in strcpy when copying the str POST parameter into a stack buffer in /dbsrv.asp."

Attack vector

An unauthenticated attacker sends a crafted HTTP POST request to `/dbsrv.asp` with an overly long `str` parameter in the body. The `strcpy` call copies the attacker-controlled string into a fixed-size stack buffer without validation, overflowing adjacent memory. This can cause a denial of service or potentially arbitrary code execution [CWE-121] [ref_id=1].

Affected code

The vulnerability resides in the file `/dbsrv.asp` of D-Link DI-8400 firmware up to version 16.07.26A1. The function handling the `str` POST parameter uses `strcpy` without bounds checking, leading to a stack-based buffer overflow when a long `str` value is supplied [ref_id=1].

What the fix does

No patch is provided in the advisory. The researcher notes that the root cause is the use of `strcpy` without boundary checking when the `src` value is non-empty. To remediate, the vendor should replace `strcpy` with a bounded copy function (e.g., `strncpy` or `snprintf`) and validate the length of the `str` input before copying [ref_id=1].

Preconditions

  • configThe target device must be running D-Link DI-8400 firmware version 16.07.26A1 or earlier
  • networkThe attacker must be able to send HTTP requests to the device's web interface
  • authNo authentication is required; the advisory does not mention any auth check for the vulnerable endpoint
  • inputThe attacker supplies a long string in the 'str' POST parameter

Reproduction

Send the following HTTP POST request to the target device:

``` POST /dbsrv.asp HTTP/1.1 Host: 192.168.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 26

str=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbh ```

The device may crash or become unresponsive [ref_id=1].

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.