HIGHCVE-2026-5212CVSS 8.8

CVE-2026-5212: Stack Overflow in D-Link DNS Routers

Platform

dlink

Component

my_vuln

Fixed in

20260205.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-5212 describes a critical stack-based buffer overflow vulnerability affecting a range of D-Link DNS routers. This flaw resides within the WebdavUploadFile function of the /cgi-bin/webdavmgr.cgi file and allows remote attackers to manipulate the ffile argument, potentially leading to arbitrary code execution. The vulnerability impacts D-Link DNS-120, DNR-202L, DNS-315L, and numerous other models released up to version 20260205. A patch is required to remediate this issue.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-5212 allows an attacker to execute arbitrary code on the affected D-Link router. This could lead to complete system compromise, enabling attackers to modify router configurations, steal sensitive data (usernames, passwords, network traffic logs), and potentially pivot to other devices on the network. The remote nature of the vulnerability significantly broadens the attack surface, as exploitation does not require local access. Given the routers' function as network gateways, a successful attack could compromise the entire internal network behind the router, resulting in a significant blast radius. The public disclosure of the exploit increases the risk of immediate exploitation.

Exploitation Context

CVE-2026-5212 has been publicly disclosed, indicating a higher probability of exploitation. The vulnerability is not currently listed on CISA KEV, but the public availability of an exploit suggests a medium to high exploitation probability. Public proof-of-concept exploits are likely to emerge, further increasing the risk. The vulnerability was published on 2026-03-31, and the potential for widespread exploitation is significant given the prevalence of D-Link routers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.10% (28% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentmy_vuln

VendorD-Link

Affected rangeFixed in

20260205 – 2026020520260205.0.1

Weakness Classification (CWE)

CWE-121 CWE-119

Timeline

Reserved2026-03-31
Published2026-03-31
Modified2026-04-03
EPSS updated2026-04-08

Unpatched — 54 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-5212 is to upgrade the affected D-Link routers to a firmware version containing a patch. Unfortunately, a specific fixed-in version is not provided in the CVE details. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the /cgi-bin/webdavmgr.cgi endpoint using a firewall or web application firewall (WAF). Monitor router logs for suspicious activity related to file uploads. Implement strict input validation on any web-based file upload functionality. After upgrading the firmware, verify the fix by attempting to trigger the vulnerability with a crafted ffile argument and confirming that the router does not crash or exhibit unexpected behavior.

How to fix

Update the firmware of your D-Link DNS-1550-04 device to a version later than 20260205 to correct the stack-based buffer overflow vulnerability. Refer to the D-Link website for the latest firmware updates and installation instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5212 — Stack Overflow in D-Link DNS Routers?

CVE-2026-5212 is a HIGH severity buffer overflow vulnerability in D-Link DNS routers, allowing remote code execution through manipulation of the 'f_file' argument in a web interface.

Am I affected by CVE-2026-5212 in D-Link DNS Routers?

You are affected if you are using a D-Link DNS router (DNS-120, DNR-202L, etc.) with firmware versions equal to or earlier than 20260205.

How do I fix CVE-2026-5212 in D-Link DNS Routers?

Upgrade your D-Link DNS router to a patched firmware version. Check the D-Link support website for available updates. If upgrading is not possible, implement temporary workarounds like firewall restrictions.

Is CVE-2026-5212 being actively exploited?

The vulnerability has been publicly disclosed, and public exploits are likely to emerge, increasing the risk of active exploitation.

Where can I find the official D-Link advisory for CVE-2026-5212?

Refer to the D-Link security advisory page for the latest information and firmware updates related to CVE-2026-5212.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.