CVE-2026-10206: D-Link DI-8400 Stack Buffer Overflow in /dbsrv.asp
D-Link DI-8400 routers contain a stack-based buffer overflow vulnerability in the /dbsrv.asp file that can be exploited by authenticated attackers to gain complete control of the device. By manipulating a specific parameter, an attacker with valid credentials can overflow memory on the router and execute arbitrary code remotely. This vulnerability affects firmware versions up to 16.07.26A1, and proof-of-concept code is publicly available, raising the risk of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in D-Link DI-8400 up to 16.07.26A1. This affects an unknown function of the file /dbsrv.asp. Performing a manipulation of the argument str results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The initial researcher advisory mentions contradicting parameter names to be affected.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10206 is a stack-based buffer overflow (CWE-121) resulting from improper input validation (CWE-119) in the D-Link DI-8400 web interface. The vulnerability exists in the /dbsrv.asp file, where the 'str' parameter is processed without adequate bounds checking. An authenticated user can craft a malformed request to overflow the stack, potentially achieving code execution in the context of the web service. The CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability, moderated by the requirement for valid credentials (PR:L).
Business impact
Successful exploitation allows an attacker with router credentials to fully compromise device functionality, intercept encrypted traffic, modify network configurations, or use the router as a pivot point into the connected network. For organizations deploying D-Link DI-8400 devices in branch offices, SMB networks, or as edge firewalls, this represents a critical risk to network perimeter security. The availability of public exploits accelerates the likelihood of opportunistic attacks against unpatched installations.
Affected systems
D-Link DI-8400 routers running firmware version 16.07.26A1 and earlier are affected. Organizations should inventory all D-Link DI-8400 deployments and verify current firmware versions. The researcher advisory notes conflicting parameter names in the original report; verify the exact vulnerable parameter against the vendor's official advisory and your device configuration.
Exploitability
Exploitation requires valid authentication credentials to access the web interface, which limits exposure in properly configured environments with strong password policies. However, the public availability of proof-of-concept code, combined with the relative simplicity of stack overflow attacks, means that attackers with internal network access or compromised credentials pose an immediate threat. The attack does not require user interaction and can be automated.
Remediation
Verify that your D-Link DI-8400 devices are updated to firmware version 16.07.26A2 or later, or confirm a vendor advisory specifying a newer patch. If no patch is available from D-Link, implement strong access controls: restrict web interface access to trusted IP addresses, enforce strong administrative passwords, and disable remote management features if not required. Consider network segmentation to limit lateral movement if a device is compromised.
Patch guidance
Check D-Link's official support portal for firmware updates to DI-8400 models. The vulnerability is confirmed to affect versions up to 16.07.26A1; verify against the vendor advisory the exact patched version and any interim mitigations recommended. Firmware updates for network appliances should be validated in a test environment before production rollout to confirm no compatibility issues with your network configuration.
Detection guidance
Monitor web server logs on affected routers for unusual POST requests to /dbsrv.asp with oversized or malformed 'str' parameters. Intrusion detection systems should flag attempts to send payloads designed to overflow the stack. Network-based detection of authentication followed by abnormal process execution on the router may also indicate exploitation. Baseline normal traffic patterns to identify anomalies.
Why prioritize this
This vulnerability scores 8.8 (HIGH) due to high impact (confidentiality, integrity, availability all at risk) and a network-accessible attack surface, offset only by the authentication requirement. The public availability of proof-of-concept code and the device's role as a network gateway make it an attractive target. Organizations should prioritize patching or isolating affected devices within 30 days.
Risk score, explained
CVSS 3.1 score of 8.8 is driven by: (1) Network-accessible attack vector (AV:N); (2) Low attack complexity (AC:L), as the overflow can be triggered with a simple HTTP request; (3) Low privilege requirement (PR:L), meaning any authenticated user can attempt exploitation; (4) High impact across all three security properties. The lack of user interaction requirement (UI:N) further elevates severity. The score reflects a device that, if compromised, gives an attacker full control.
Frequently asked questions
Do I need valid credentials to exploit this vulnerability?
Yes. The vulnerability requires authentication to access the /dbsrv.asp interface. However, this does not eliminate risk if default credentials are in use, credentials have been leaked, or an attacker gains access to the network. All administrative credentials should be changed to strong, unique values.
What is a stack-based buffer overflow and why does it matter?
A stack-based buffer overflow occurs when input data exceeds the allocated memory space on the program stack, overwriting adjacent data including return addresses. An attacker can inject malicious code and redirect program execution to that code, achieving remote code execution with the privileges of the affected service. This is one of the most dangerous classes of vulnerability.
Is this vulnerability tracked in CISA's Known Exploited Vulnerabilities list?
No, this vulnerability is not currently listed in CISA's KEV catalog. However, public proof-of-concept code exists, and organizations should not rely on KEV listing as an indicator of exploit availability or threat. Treat any publicly disclosed vulnerability in critical infrastructure with urgency.
What should I do if I cannot patch immediately?
Implement compensating controls: restrict access to the web interface to trusted IP addresses only, use a firewall rule to block untrusted traffic to port 80/443 on the device, enforce strong passwords, and disable remote management. Monitor for suspicious activity and segregate the router on a management VLAN if possible. Plan a patching window within 30 days.
This analysis is based on the CVE record and publicly available information current as of the modification date (2026-06-17). Patch versions, affected product lists, and remediation steps should be verified against D-Link's official security advisory and your organization's vendor communications. The mention of conflicting parameter names in the researcher advisory suggests reviewing the original report and vendor response for complete technical details. No exploit code or weaponization steps are provided or endorsed. Testing and deployment of any patches or mitigations should occur in a controlled environment before production use. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow