CVE-2026-2187
Analyzed Analyzed - Analysis Complete
Remote Stack-Based Buffer Overflow in Tenda RX3 QoS Function

Publication date: 2026-02-08

Last updated on: 2026-02-10

Assigner: VulDB

Description
A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-08
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2187
EUVD
EUVD-2026-5763
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda rx3_firmware 16.03.13.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability impacts the confidentiality, integrity, and availability of the affected device, the Tenda RX3 router.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): The router's HTTP daemon can crash or become unresponsive, disrupting network connectivity."}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can execute arbitrary code remotely, potentially taking full control of the device.'}, {'type': 'list_item', 'content': 'No authentication is required to exploit this vulnerability, increasing the risk of unauthorized access.'}, {'type': 'paragraph', 'content': 'Because the router is a network device, exploitation could lead to network disruptions, interception or manipulation of network traffic, and compromise of connected systems.'}] [1, 2, 3]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2187 is a critical stack-based buffer overflow vulnerability found in the Tenda RX3 router firmware version 16.03.13.11. The flaw exists in the function set_qosMib_list within the file /goform/formSetQosBand. This function processes a user-controlled parameter named "list" and uses the unsafe strcpy function to copy this input into a fixed-size stack buffer of 256 bytes without validating the input length.'}, {'type': 'paragraph', 'content': "Because the input length is not checked, an attacker can supply an overly long input that overflows the buffer on the stack, overwriting the stack frame including the function's return address. This can lead to Denial of Service (DoS) by crashing the router's HTTP daemon or enable Remote Code Execution (RCE) by hijacking the program counter to execute arbitrary code."}, {'type': 'paragraph', 'content': 'The attack can be initiated remotely without authentication, making exploitation straightforward. A proof-of-concept exploit is publicly available, and no known mitigations exist. Recommended remediation includes replacing unsafe functions with safer alternatives and validating input length.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted HTTP request to the vulnerable endpoint /goform/formSetQosBand on the Tenda RX3 router version 16.03.13.11. Specifically, the request should manipulate the "list" parameter with an overly long input that triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': "A proof-of-concept exploit involves sending a large payload (e.g., 10,000 'A' characters followed by a delimiter) to the endpoint, which causes the router's HTTP daemon to crash or become unresponsive."}, {'type': 'paragraph', 'content': 'Suggested detection commands include using curl or similar HTTP clients to send the crafted request remotely. For example:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/goform/formSetQosBand -d "list=$(python3 -c \'print("A"*10000 + "\\n")\')"'}, {'type': 'paragraph', 'content': "Monitoring for crashes or unresponsiveness of the router's HTTP service after sending such requests can indicate the presence of the vulnerability."}] [3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no known official countermeasures or patches available for this vulnerability as of the disclosure date.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Avoid exposing the vulnerable Tenda RX3 router's management interface to untrusted networks, especially the internet."}, {'type': 'list_item', 'content': 'Restrict access to the /goform/formSetQosBand endpoint by implementing firewall rules or network segmentation.'}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious POST requests targeting the QoS configuration endpoint.'}, {'type': 'list_item', 'content': 'Consider replacing the affected device with a more secure alternative, as recommended by the advisory.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2187. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart