CVE-2026-5979 Overview
CVE-2026-5979 is a buffer overflow vulnerability in the D-Link DIR-605L router firmware version 2.13B01. The flaw resides in the formVirtualServ function within /goform/formVirtualServ, part of the device's POST request handler. Attackers can trigger the overflow by manipulating the curTime argument in a crafted HTTP POST request.
The vulnerability is exploitable remotely and requires only low privileges. A public exploit description has been released, increasing the risk of opportunistic attacks. D-Link no longer supports the DIR-605L product line, so no official patch will be issued.
Critical Impact
Remote attackers with low privileges can corrupt memory on affected DIR-605L routers, potentially gaining control of the device and pivoting into the internal network.
Affected Products
- D-Link DIR-605L hardware (end-of-life)
- D-Link DIR-605L firmware version 2.13B01
- Any deployment running the legacy DIR-605L web administration interface
Discovery Timeline
- 2026-04-09 - CVE-2026-5979 published to NVD
- 2026-04-30 - Last updated in NVD database
Technical Details for CVE-2026-5979
Vulnerability Analysis
The vulnerability is classified under [CWE-119] as an improper restriction of operations within the bounds of a memory buffer. The formVirtualServ handler processes virtual server configuration submitted through the router's web interface. When the handler reads the curTime POST parameter, it copies the attacker-supplied value into a fixed-size stack buffer without enforcing length validation.
Because the affected endpoint is reachable through the device's HTTP administrative interface, an authenticated attacker on the local network or an attacker who reaches an internet-exposed management interface can send a crafted POST request. The resulting stack corruption can lead to control-flow hijack on the MIPS-based firmware, enabling arbitrary code execution within the router's privileged web service context.
Root Cause
The root cause is a missing bounds check on the curTime parameter inside the formVirtualServ C function. The firmware uses unsafe string copy semantics that trust the length of attacker-controlled input. No stack canaries or address space layout randomization protections are present in legacy DIR-605L firmware, making exploitation straightforward.
Attack Vector
Exploitation requires the attacker to submit a POST request to /goform/formVirtualServ with an oversized curTime argument. The attack can be launched over the network and requires only low-level authenticated access to the router's administrative interface. Successful exploitation compromises confidentiality, integrity, and availability of the device.
No verified proof-of-concept code is provided. Technical write-up details are available in the Notion Vulnerability Documentation and VulDB Vulnerability #356533.
Detection Methods for CVE-2026-5979
Indicators of Compromise
- HTTP POST requests to /goform/formVirtualServ containing abnormally long curTime parameter values
- Unexpected reboots, crashes, or httpd service restarts on DIR-605L routers
- Unusual outbound connections originating from the router's WAN interface following administrative requests
Detection Strategies
- Inspect network traffic to router management interfaces for POST bodies exceeding expected curTime field length
- Alert on access to /goform/formVirtualServ from unexpected source addresses or outside maintenance windows
- Monitor router syslog output for memory faults or watchdog-triggered reboots correlated with web administration activity
Monitoring Recommendations
- Place legacy SOHO routers on a monitored network segment with full packet capture at the edge
- Establish baseline traffic patterns for management interfaces and alert on deviations
- Track firmware version inventory to identify end-of-life devices like DIR-605L 2.13B01 across the environment
How to Mitigate CVE-2026-5979
Immediate Actions Required
- Replace DIR-605L devices because the product is end-of-life and will not receive a vendor patch
- Disable remote (WAN-side) administration on all DIR-605L units until decommissioning is complete
- Restrict LAN access to the router's web interface using firewall rules or VLAN segmentation
- Rotate administrative credentials and audit virtual server configurations for unauthorized entries
Patch Information
No patch is available. According to the advisory, the affected product is no longer supported by D-Link. Confirm device status on the D-Link Official Website and follow the vendor's end-of-life guidance, which is to retire and replace the hardware.
Workarounds
- Block external access to TCP ports used by the router's HTTP administration interface
- Require VPN access for any administrative session to the device
- Place the router behind an upstream gateway capable of inspecting and filtering crafted POST requests
- Migrate to a supported router platform that receives ongoing security updates
# Example: block WAN access to the router admin interface on an upstream firewall
iptables -A FORWARD -p tcp -d <router_lan_ip> --dport 80 -i <wan_iface> -j DROP
iptables -A FORWARD -p tcp -d <router_lan_ip> --dport 443 -i <wan_iface> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
