CVE-2026-2181
Stack-Based Buffer Overflow in Tenda RX3 /goform/openSchedWifi
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | rx3_firmware | 16.03.13.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical stack-based buffer overflow found in the Tenda RX3 router firmware version 16.03.13.11, specifically in the /goform/openSchedWifi endpoint. It arises from unsafe handling of user-supplied parameters schedStartTime and schedEndTime, which are copied into a fixed-size buffer without proper length validation. This unsafe copying using the strcpy function allows an attacker to provide oversized input strings that overflow the buffer, causing memory corruption.
The root cause is the lack of bounds checking during the copying of these scheduling time parameters, leading to heap or stack memory corruption. This flaw can be exploited remotely without local access, making it highly accessible to attackers.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to severe impacts including Denial of Service (DoS) and Remote Code Execution (RCE).
- Denial of Service (DoS): Memory corruption caused by the buffer overflow can crash the HTTP daemon process, disabling the device management interface and rendering the router unusable.
- Remote Code Execution (RCE): Carefully crafted inputs can hijack the control flow of the device, allowing an attacker to execute arbitrary code remotely.
Because the exploit is publicly available and the attack can be initiated remotely without authentication, the risk of compromise is high.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring or testing the `/goform/openSchedWifi` endpoint on the Tenda RX3 router firmware version V16.03.13.11 for abnormal behavior when sending manipulated parameters `schedStartTime` and `schedEndTime`.'}, {'type': 'paragraph', 'content': 'A proof-of-concept exploit involves sending an HTTP POST request with an excessively long `schedStartTime` parameter to trigger the buffer overflow and cause the device to crash or become unresponsive.'}, {'type': 'paragraph', 'content': "Suggested detection commands include using tools like curl or custom scripts to send oversized strings to the vulnerable endpoint and observe the device's response or stability."}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST http://<router-ip>/goform/openSchedWifi -d "schedStartTime=$(python3 -c \'print("1500"*10000)\')&schedEndTime=0000"'}, {'type': 'paragraph', 'content': 'If the device crashes, becomes unresponsive, or the HTTP daemon process stops, it indicates the presence of the vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable firmware version V16.03.13.11 on Tenda RX3 routers and restricting access to the `/goform/openSchedWifi` endpoint to trusted users only.
Since the vulnerability arises from unsafe handling of input parameters, it is recommended to implement input validation and replace unsafe functions like `strcpy` with safer alternatives such as `strncpy`.
If possible, update the router firmware to a version where this vulnerability is patched or consider replacing the affected device with a more secure alternative.
In the absence of an official patch, network administrators should monitor for exploitation attempts and limit remote access to the device management interface.