CVE-2026-2187
Remote Stack-Based Buffer Overflow in Tenda RX3 QoS Function
Publication date: 2026-02-08
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | rx3_firmware | 16.03.13.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability impacts the confidentiality, integrity, and availability of the affected device, the Tenda RX3 router.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): The router's HTTP daemon can crash or become unresponsive, disrupting network connectivity."}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can execute arbitrary code remotely, potentially taking full control of the device.'}, {'type': 'list_item', 'content': 'No authentication is required to exploit this vulnerability, increasing the risk of unauthorized access.'}, {'type': 'paragraph', 'content': 'Because the router is a network device, exploitation could lead to network disruptions, interception or manipulation of network traffic, and compromise of connected systems.'}] [1, 2, 3]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2187 is a critical stack-based buffer overflow vulnerability found in the Tenda RX3 router firmware version 16.03.13.11. The flaw exists in the function set_qosMib_list within the file /goform/formSetQosBand. This function processes a user-controlled parameter named "list" and uses the unsafe strcpy function to copy this input into a fixed-size stack buffer of 256 bytes without validating the input length.'}, {'type': 'paragraph', 'content': "Because the input length is not checked, an attacker can supply an overly long input that overflows the buffer on the stack, overwriting the stack frame including the function's return address. This can lead to Denial of Service (DoS) by crashing the router's HTTP daemon or enable Remote Code Execution (RCE) by hijacking the program counter to execute arbitrary code."}, {'type': 'paragraph', 'content': 'The attack can be initiated remotely without authentication, making exploitation straightforward. A proof-of-concept exploit is publicly available, and no known mitigations exist. Recommended remediation includes replacing unsafe functions with safer alternatives and validating input length.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted HTTP request to the vulnerable endpoint /goform/formSetQosBand on the Tenda RX3 router version 16.03.13.11. Specifically, the request should manipulate the "list" parameter with an overly long input that triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': "A proof-of-concept exploit involves sending a large payload (e.g., 10,000 'A' characters followed by a delimiter) to the endpoint, which causes the router's HTTP daemon to crash or become unresponsive."}, {'type': 'paragraph', 'content': 'Suggested detection commands include using curl or similar HTTP clients to send the crafted request remotely. For example:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/goform/formSetQosBand -d "list=$(python3 -c \'print("A"*10000 + "\\n")\')"'}, {'type': 'paragraph', 'content': "Monitoring for crashes or unresponsiveness of the router's HTTP service after sending such requests can indicate the presence of the vulnerability."}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'There are no known official countermeasures or patches available for this vulnerability as of the disclosure date.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Avoid exposing the vulnerable Tenda RX3 router's management interface to untrusted networks, especially the internet."}, {'type': 'list_item', 'content': 'Restrict access to the /goform/formSetQosBand endpoint by implementing firewall rules or network segmentation.'}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious POST requests targeting the QoS configuration endpoint.'}, {'type': 'list_item', 'content': 'Consider replacing the affected device with a more secure alternative, as recommended by the advisory.'}] [1, 3]