CVE-2026-2186
Analyzed Analyzed - Analysis Complete
Remote Stack-Based Buffer Overflow in Tenda RX3 IP-MAC Binding

Publication date: 2026-02-08

Last updated on: 2026-02-10

Assigner: VulDB

Description
A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2186
EUVD
EUVD-2026-5764
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda rx3_firmware 16.03.13.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2186 is a critical stack-based buffer overflow vulnerability found in the Tenda RX3 router firmware version 16.03.13.11. The flaw exists in the function fromSetIpMacBind within the file /goform/SetIpMacBind, which processes the "list" parameter containing IP-MAC binding rules.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the function uses the unsafe strcpy function to copy the input string into a fixed-size 128-byte stack buffer without validating the input length. This allows an attacker to overflow the buffer and overwrite the stack frame.'}, {'type': 'paragraph', 'content': 'Additionally, the input is parsed using _isoc99_sscanf, and the function calls set_device_name, which uses unsafe sprintf calls to write into a 256-byte buffer without bounds checking, creating further opportunities for stack corruption.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this remotely by sending a specially crafted "list" parameter to the router\'s /goform/SetIpMacBind endpoint, potentially causing a buffer overflow.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can exploit the buffer overflow to overwrite the saved return address and execute arbitrary code with root privileges on the router.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending malformed or oversized input can crash the router's HTTP daemon, disabling the web management interface and potentially disrupting network connectivity."}, {'type': 'list_item', 'content': 'Compromise of Confidentiality, Integrity, and Availability: Since the router can be fully controlled by an attacker, sensitive network traffic and device configurations can be exposed or altered.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a specially crafted HTTP POST request to the endpoint /goform/SetIpMacBind with an excessively large or malformed "list" parameter. For example, sending a very long string (e.g., 10,000 \'A\'s) in the "list" parameter can trigger the stack-based buffer overflow and cause the router\'s web management interface to crash.'}, {'type': 'paragraph', 'content': 'A proof-of-concept Python script exists that demonstrates this detection method by sending such a request to the vulnerable router firmware version V16.03.13.11.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send a POST request with a large "list" parameter to http://<router-ip>/goform/SetIpMacBind, for example:'}, {'type': 'list_item', 'content': 'curl -X POST -d "list=$(python3 -c \'print("A"*10000)\')" http://<router-ip>/goform/SetIpMacBind'}, {'type': 'paragraph', 'content': 'If the router crashes, becomes unresponsive, or the web interface stops working after this request, it indicates the presence of the vulnerability.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the router's web management interface to untrusted networks, especially the internet, to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no vendor patch or fix is currently available, it is recommended to replace the affected product with an alternative device that is not vulnerable.'}, {'type': 'paragraph', 'content': 'Network administrators should also monitor for unusual HTTP POST requests to the /goform/SetIpMacBind endpoint containing abnormally large or malformed "list" parameters and block such traffic if possible.'}, {'type': 'paragraph', 'content': 'Long term, remediation involves applying patches that replace unsafe functions like strcpy with safer alternatives such as strncpy, enforce strict input length validation, and use bounds-checked functions like snprintf in the affected firmware.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2186. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart