CVE-2026-2185
Remote Stack-Based Buffer Overflow in Tenda RX3 MAC Filtering
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | rx3_firmware | 16.03.13.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a critical stack-based buffer overflow found in the Tenda RX3 router firmware version 16.03.13.11. It occurs in the MAC Filtering Configuration Endpoint, specifically in the function set_device_name within the /goform/setBlackRule file.'}, {'type': 'paragraph', 'content': 'The issue arises because the function uses the unsafe sprintf function to copy the user-supplied devName parameter into a fixed-size stack buffer without checking the length. If an attacker sends an excessively long devName value, it causes the buffer to overflow, corrupting the stack and allowing control over the instruction pointer.'}, {'type': 'paragraph', 'content': "This flaw can be exploited remotely by sending crafted requests to the router, potentially enabling arbitrary code execution or causing the router's management service to crash."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to severe impacts including:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can execute arbitrary code with root privileges on the router, leading to full system compromise.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending a specially crafted long payload can crash the router's HTTP daemon process, disrupting web-based management."}, {'type': 'list_item', 'content': 'Compromise of confidentiality, integrity, and availability of the device and potentially the network it manages.'}] [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or malformed HTTP POST requests to the endpoint `/goform/setBlackRule` on the Tenda RX3 router firmware version V16.03.13.11. Specifically, requests containing an excessively long `devName` parameter (e.g., thousands of characters) may indicate an attempt to exploit the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for POST requests targeting `/goform/setBlackRule` with suspiciously large `devName` values.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include using network packet capture tools like tcpdump or tshark:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/setBlackRule'"}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y \'http.request.method == "POST" and http.request.uri contains "/goform/setBlackRule"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Inspect the captured POST data for the `devName` parameter length. If it exceeds normal expected lengths (e.g., >128 characters), it may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring router logs for crashes or HTTP daemon restarts may help identify denial-of-service attempts caused by this vulnerability.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint and preventing exploitation attempts by filtering or blocking suspicious requests.'}, {'type': 'list_item', 'content': "Restrict remote access to the router's management interface, especially blocking access to `/goform/setBlackRule` from untrusted networks."}, {'type': 'list_item', 'content': 'Implement network-level filtering or firewall rules to block HTTP POST requests with unusually long `devName` parameters targeting the vulnerable endpoint.'}, {'type': 'list_item', 'content': 'Monitor the router for crashes or abnormal behavior and reboot if necessary to restore service.'}, {'type': 'paragraph', 'content': 'From a firmware perspective, the vulnerability is caused by unsafe use of `sprintf` without bounds checking. The recommended code fix is to replace `sprintf` with `snprintf` and validate the length of `devName` before processing.'}, {'type': 'paragraph', 'content': 'Since no official patch or fix is currently available, consider replacing the affected device or firmware version to eliminate the risk.'}] [2, 3]