How is CVE-2026-10206 exploited?

Network reachability (required): The vulnerable endpoint /dbsrv.asp is exposed over the network, so an attacker must be able to reach the device's web interface remotely. Authentication (required): The CVSS vector specifies PR:L, meaning a low-privilege account is sufficient; any authenticated user on the device can send the malicious request. Victim interaction (not-required): No victim interaction is needed; the attacker sends the crafted request directly to the endpoint without requiring any action from another user. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-10206?

Reads data held in device memory, including stored credentials and session tokens. Overwrites the stack to redirect execution, enabling the attacker to run arbitrary code on the router. Crashes the dbsrv.asp handler or the broader device web service, disrupting routing and administrative access. Full device compromise allows an attacker to pivot into the local network behind the router.

Back to search

HIGHCVE-2026-10206Published 2026-06-01Modified 2026-06-01CNA VulDB

CVE-2026-10206: D-Link DI-8400 dbsrv.asp stack-based overflow

A vulnerability was detected in D-Link DI-8400 up to 16.07.26A1. This affects an unknown function of the file /dbsrv.asp. Performing a manipulation of the argument str results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The initial researcher advisory mentions contradicting parameter names to be affected.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the D-Link DI-8400 router firmware (up to version 16.07.26A1), triggered by sending a crafted value for the str argument to the /dbsrv.asp endpoint. The vulnerability is reachable over the network and requires a low-privilege account, meaning any authenticated user can attempt it. Successful exploitation gives an attacker full control over memory on the affected device, enabling arbitrary code execution, data theft, or complete service disruption. No vendor patch has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-10206 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built images derived from affected D-Link firmware layers. Any image pinned to D-Link DI-8400 firmware version 16.07.26A1 or earlier will surface a finding automatically.

Available

Triage

Triage capability is available with the full CVSS v4.0 score of 8.7 (HIGH), weighted further by each customer environment's compliance policy to reflect actual exposure context. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by D-Link, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint /dbsrv.asp is exposed over the network, so an attacker must be able to reach the device's web interface remotely.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning a low-privilege account is sufficient; any authenticated user on the device can send the malicious request.
Victim interactionNot required
No victim interaction is needed; the attacker sends the crafted request directly to the endpoint without requiring any action from another user.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Reads data held in device memory, including stored credentials and session tokens.
Overwrites the stack to redirect execution, enabling the attacker to run arbitrary code on the router.
Crashes the dbsrv.asp handler or the broader device web service, disrupting routing and administrative access.
Full device compromise allows an attacker to pivot into the local network behind the router.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged immediately on any image fingerprinted to D-Link DI-8400 firmware 16.07.26A1 or earlier, with a HIGH-severity finding at CVSS 8.7. Because D-Link has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild becomes available; for customers with auto-remediation enabled, that triggers an automatic rebuild, regression-test run, and PR opened against affected workloads. In the interim, compensating controls available to consider include network-policy isolation to restrict access to the device management interface to trusted source IPs only, egress filtering to limit what the device can reach if compromised, and disabling remote management features where operationally feasible. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations as inline annotations on the finding.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

D-Link / DI-8400
16.07.26A1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References