HIGHCVE-2026-5211CVSS 8.8

CVE-2026-5211: Stack Overflow in D-Link DNS Routers

Platform

dlink

Component

my_vuln

Fixed in

20260205.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-5211 describes a critical stack-based buffer overflow vulnerability affecting a range of D-Link DNS routers. Successful exploitation allows a remote attacker to potentially execute arbitrary code on the vulnerable device. This flaw impacts models including DNS-120, DNR-202L, and several others, specifically those running firmware versions up to and including 20260205. A patch is expected from D-Link.

Impact and Attack Scenarios

The vulnerability lies within the UPnPAVServerPathDel function of the /cgi-bin/appmgr.cgi file. An attacker can exploit this by manipulating the 'fdir' argument, causing a stack-based buffer overflow. This overflow can overwrite critical memory regions, potentially allowing the attacker to gain control of the router. Given the router's role in network connectivity and often containing sensitive configuration data, a successful exploit could lead to complete system compromise, data theft, and unauthorized access to the internal network. The published exploit significantly increases the risk of immediate exploitation.

Exploitation Context

The exploit for CVE-2026-5211 has been publicly released, indicating a high probability of exploitation. It is crucial to apply the patch as soon as it becomes available. The vulnerability's ease of exploitation and the router's common deployment make it a significant threat. The vulnerability is not currently listed on CISA KEV, but its public exploit status warrants close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentmy_vuln

VendorD-Link

Affected rangeFixed in

20260205 – 2026020520260205.0.1

Weakness Classification (CWE)

CWE-121 CWE-119

Timeline

Reserved2026-03-31
Published2026-03-31
Modified2026-04-01
EPSS updated2026-04-08

Unpatched — 54 days since disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade the affected D-Link DNS routers to a firmware version that includes the security patch. D-Link is expected to release a patch soon. Until the patch is available, consider implementing temporary workarounds such as restricting access to the /cgi-bin/app_mgr.cgi endpoint using a firewall or access control list (ACL). Web application firewalls (WAFs) configured to detect and block buffer overflow attempts targeting UPnP functionality can also provide some protection. Monitor router logs for unusual activity or error messages related to the UPnP service.

How to fix

Update the firmware of your D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 to a version later than 20260205 to correct the stack-based buffer overflow vulnerability in the UPnP_AV_Server_Path_Del function of the /cgi-bin/app_mgr.cgi file.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5211 — Stack Overflow in D-Link DNS Routers?

CVE-2026-5211 is a HIGH severity buffer overflow vulnerability in D-Link DNS routers, allowing remote code execution via manipulation of the fdir argument in /cgi-bin/appmgr.cgi.

Am I affected by CVE-2026-5211 in D-Link DNS Routers?

You are affected if you are using a D-Link DNS router (DNS-120, DNR-202L, etc.) with firmware versions up to and including 20260205.

How do I fix CVE-2026-5211 in D-Link DNS Routers?

Upgrade your D-Link DNS router to the latest available firmware version that includes the security patch. Monitor D-Link's website for the official advisory.

Is CVE-2026-5211 being actively exploited?

Yes, a public proof-of-concept exploit has been released, indicating active exploitation is likely.

Where can I find the official D-Link advisory for CVE-2026-5211?

Refer to D-Link's security advisory page for updates and the official patch release: https://www.dlink.com/support/security-updates

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.