CVE-2026-2185
Analyzed Analyzed - Analysis Complete
Remote Stack-Based Buffer Overflow in Tenda RX3 MAC Filtering

Publication date: 2026-02-08

Last updated on: 2026-02-10

Assigner: VulDB

Description
A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2185
EUVD
EUVD-2026-5765
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda rx3_firmware 16.03.13.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability is a critical stack-based buffer overflow found in the Tenda RX3 router firmware version 16.03.13.11. It occurs in the MAC Filtering Configuration Endpoint, specifically in the function set_device_name within the /goform/setBlackRule file.'}, {'type': 'paragraph', 'content': 'The issue arises because the function uses the unsafe sprintf function to copy the user-supplied devName parameter into a fixed-size stack buffer without checking the length. If an attacker sends an excessively long devName value, it causes the buffer to overflow, corrupting the stack and allowing control over the instruction pointer.'}, {'type': 'paragraph', 'content': "This flaw can be exploited remotely by sending crafted requests to the router, potentially enabling arbitrary code execution or causing the router's management service to crash."}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to severe impacts including:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can execute arbitrary code with root privileges on the router, leading to full system compromise.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending a specially crafted long payload can crash the router's HTTP daemon process, disrupting web-based management."}, {'type': 'list_item', 'content': 'Compromise of confidentiality, integrity, and availability of the device and potentially the network it manages.'}] [2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or malformed HTTP POST requests to the endpoint `/goform/setBlackRule` on the Tenda RX3 router firmware version V16.03.13.11. Specifically, requests containing an excessively long `devName` parameter (e.g., thousands of characters) may indicate an attempt to exploit the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for POST requests targeting `/goform/setBlackRule` with suspiciously large `devName` values.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include using network packet capture tools like tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/setBlackRule'"}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y \'http.request.method == "POST" and http.request.uri contains "/goform/setBlackRule"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Inspect the captured POST data for the `devName` parameter length. If it exceeds normal expected lengths (e.g., >128 characters), it may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring router logs for crashes or HTTP daemon restarts may help identify denial-of-service attempts caused by this vulnerability.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint and preventing exploitation attempts by filtering or blocking suspicious requests.'}, {'type': 'list_item', 'content': "Restrict remote access to the router's management interface, especially blocking access to `/goform/setBlackRule` from untrusted networks."}, {'type': 'list_item', 'content': 'Implement network-level filtering or firewall rules to block HTTP POST requests with unusually long `devName` parameters targeting the vulnerable endpoint.'}, {'type': 'list_item', 'content': 'Monitor the router for crashes or abnormal behavior and reboot if necessary to restore service.'}, {'type': 'paragraph', 'content': 'From a firmware perspective, the vulnerability is caused by unsafe use of `sprintf` without bounds checking. The recommended code fix is to replace `sprintf` with `snprintf` and validate the length of `devName` before processing.'}, {'type': 'paragraph', 'content': 'Since no official patch or fix is currently available, consider replacing the affected device or firmware version to eliminate the risk.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart