What is the CVSS score of CVE-2025-50646?

CVE-2025-50646 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of D-Link are affected by CVE-2025-50646?

CVE-2025-50646 is a critical unauthenticated denial-of-service vulnerability in D-Link DI-8003 routers (firmware 16.07.26A1) that allows remote attackers to crash network infrastructure without…

How to fix or mitigate CVE-2025-50646?

Within 24 hours: Identify and inventory all D-Link DI-8003 devices running firmware 16.07.26A1 across your network. Within 7 days: Contact D-Link support to confirm firmware availability status and implement temporary network segmentation to restrict WAN access to the /qos_type_asp.asp endpoint using firewall rules. Within 30 days: Replace affected devices with patched firmware versions once available from D-Link, or substitute with alternative router models if no patch timeline is provided by the vendor.

D-Link CVE-2025-50646

EUVD-2025-209325 HIGH

Classic Buffer Overflow (CWE-120)

2026-04-08 mitre

GHSA-h436-c99c-c8r5

Buffer Overflow D-Link

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 16:22 vuln.today

cvss_changed

EUVD ID Assigned

Apr 08, 2026 - 19:31 euvd

EUVD-2025-209325

Analysis Generated

Apr 08, 2026 - 19:31 vuln.today

CVE Published

Apr 08, 2026 - 00:00 nvd

HIGH 7.5

DescriptionNVD

A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the name parameter in the /qos_type_asp.asp endpoint.

AnalysisAI

Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed input to the name parameter at /qos_type_asp.asp endpoint. Attackers can trigger service disruption without authentication or user interaction by exploiting insufficient input validation in the QoS management interface. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.

Technical ContextAI

Classic stack-based buffer overflow (CWE-120) in web administration interface's QoS type handler. Unchecked bounds on name parameter allow memory corruption, resulting in service crash (CVSS:3.1 A:H). Network-accessible attack vector with no authentication barrier (PR:N) makes this exploitable via HTTP request manipulation against vulnerable firmware version 16.07.26A1.

RemediationAI

No vendor-released patch identified at time of analysis. Consult D-Link security bulletin at https://www.dlink.com/en/security-bulletin/ for firmware update availability and device lifecycle status. If D-Link has discontinued support for DI-8003, immediately isolate affected devices from untrusted networks by restricting administrative interface access to trusted IP ranges via firewall rules or disabling remote management entirely. Deploy network segmentation to limit blast radius. Consider hardware replacement with currently-supported models if vendor confirms end-of-life status. Monitor D-Link advisories and NVD entry https://nvd.nist.gov/vuln/detail/CVE-2025-50646 for patched firmware releases.