CVE-2026-2180
Remote Stack-Based Buffer Overflow in Tenda RX3 Wi-Fi Settings
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | rx3_firmware | 16.03.13.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2180 is a critical stack-based buffer overflow vulnerability in the Tenda RX3 router firmware version 16.03.13.11. It occurs in the Wi-Fi configuration endpoint /goform/fast_setting_wifi_set, specifically in the function form_fast_setting_wifi_set.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the function processes a user-controlled parameter called ssid (specifically ssid_5g) using the unsafe sprintf function without validating the length of the input. This allows an attacker to supply an overly long SSID string that exceeds the fixed 64-byte buffer size, causing a buffer overflow.'}, {'type': 'paragraph', 'content': "This overflow can overwrite adjacent stack memory, including the saved frame pointer and return address, which can lead to Denial of Service (DoS) by crashing the router's httpd process or enable Remote Code Execution (RCE) with root privileges by hijacking the program counter."}, {'type': 'paragraph', 'content': 'The exploit can be launched remotely, and a proof-of-concept exploit is publicly available. Mitigation involves replacing the unsafe sprintf call with snprintf to enforce buffer size limits and validating the length of the SSID parameter before processing.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have severe impacts on affected Tenda RX3 routers. An attacker can exploit it remotely to cause a Denial of Service (DoS), crashing the router's web service and disrupting network connectivity."}, {'type': 'paragraph', 'content': 'More critically, the vulnerability can be exploited to achieve Remote Code Execution (RCE) with root privileges, allowing an attacker to execute arbitrary code on the device. This can lead to full compromise of the router, including unauthorized access, control over network traffic, and potential further attacks on connected devices.'}, {'type': 'paragraph', 'content': 'Because the exploit is publicly available and easy to use, the risk of exploitation is high if the device is exposed to untrusted networks.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for HTTP requests to the endpoint /goform/fast_setting_wifi_set containing an unusually long ssid parameter, especially those exceeding 60 characters.'}, {'type': 'paragraph', 'content': "A practical detection method is to capture and analyze HTTP POST requests targeting the vulnerable router's Wi-Fi configuration endpoint and check for the length of the ssid parameter."}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to filter HTTP requests to /goform/fast_setting_wifi_set.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/fast_setting_wifi_set'"}, {'type': 'list_item', 'content': 'Inspect captured HTTP POST data for the ssid parameter length; ssid values longer than 60 characters may indicate an exploit attempt.'}, {'type': 'paragraph', 'content': 'Additionally, checking router logs for crashes or restarts of the httpd process may indicate exploitation attempts due to the buffer overflow.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint and monitoring for suspicious activity.'}, {'type': 'list_item', 'content': "Limit remote access to the router's management interface to trusted IP addresses or disable remote management if not needed."}, {'type': 'list_item', 'content': 'Implement network-level filtering or firewall rules to block HTTP requests to /goform/fast_setting_wifi_set from untrusted sources.'}, {'type': 'list_item', 'content': 'Monitor the router for signs of compromise such as unexpected reboots or crashes of the httpd process.'}, {'type': 'paragraph', 'content': 'Since no official patch or fix is available, consider replacing the affected device or firmware with a version that includes the fix, which involves replacing unsafe sprintf calls with snprintf and validating input lengths.'}] [1, 3]