CVE-2026-2186
Remote Stack-Based Buffer Overflow in Tenda RX3 IP-MAC Binding
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | rx3_firmware | 16.03.13.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2186 is a critical stack-based buffer overflow vulnerability found in the Tenda RX3 router firmware version 16.03.13.11. The flaw exists in the function fromSetIpMacBind within the file /goform/SetIpMacBind, which processes the "list" parameter containing IP-MAC binding rules.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the function uses the unsafe strcpy function to copy the input string into a fixed-size 128-byte stack buffer without validating the input length. This allows an attacker to overflow the buffer and overwrite the stack frame.'}, {'type': 'paragraph', 'content': 'Additionally, the input is parsed using _isoc99_sscanf, and the function calls set_device_name, which uses unsafe sprintf calls to write into a 256-byte buffer without bounds checking, creating further opportunities for stack corruption.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this remotely by sending a specially crafted "list" parameter to the router\'s /goform/SetIpMacBind endpoint, potentially causing a buffer overflow.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can exploit the buffer overflow to overwrite the saved return address and execute arbitrary code with root privileges on the router.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending malformed or oversized input can crash the router's HTTP daemon, disabling the web management interface and potentially disrupting network connectivity."}, {'type': 'list_item', 'content': 'Compromise of Confidentiality, Integrity, and Availability: Since the router can be fully controlled by an attacker, sensitive network traffic and device configurations can be exposed or altered.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a specially crafted HTTP POST request to the endpoint /goform/SetIpMacBind with an excessively large or malformed "list" parameter. For example, sending a very long string (e.g., 10,000 \'A\'s) in the "list" parameter can trigger the stack-based buffer overflow and cause the router\'s web management interface to crash.'}, {'type': 'paragraph', 'content': 'A proof-of-concept Python script exists that demonstrates this detection method by sending such a request to the vulnerable router firmware version V16.03.13.11.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send a POST request with a large "list" parameter to http://<router-ip>/goform/SetIpMacBind, for example:'}, {'type': 'list_item', 'content': 'curl -X POST -d "list=$(python3 -c \'print("A"*10000)\')" http://<router-ip>/goform/SetIpMacBind'}, {'type': 'paragraph', 'content': 'If the router crashes, becomes unresponsive, or the web interface stops working after this request, it indicates the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the router's web management interface to untrusted networks, especially the internet, to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no vendor patch or fix is currently available, it is recommended to replace the affected product with an alternative device that is not vulnerable.'}, {'type': 'paragraph', 'content': 'Network administrators should also monitor for unusual HTTP POST requests to the /goform/SetIpMacBind endpoint containing abnormally large or malformed "list" parameters and block such traffic if possible.'}, {'type': 'paragraph', 'content': 'Long term, remediation involves applying patches that replace unsafe functions like strcpy with safer alternatives such as strncpy, enforce strict input length validation, and use bounds-checked functions like snprintf in the affected firmware.'}] [1, 3]