CVE-2026-2870
Remote Stack-Based Buffer Overflow in Tenda A21 QoS Function
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | a21_firmware | 1.0.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2870 is a critical stack-based buffer overflow vulnerability found in the Tenda A21 router, version 1.0.0.0. The flaw exists in the function set_qosMib_list within the file /goform/formSetQosBand.'}, {'type': 'paragraph', 'content': "The vulnerability arises from improper manipulation of a user-controlled argument named 'list'. This argument is copied unsafely into a fixed-size 256-byte stack buffer without validating its length, using the unsafe strcpy function. If the input exceeds the buffer size, it causes a stack overflow."}, {'type': 'paragraph', 'content': 'This overflow can overwrite the stack frame, including the return address, potentially allowing an attacker to crash the device or execute arbitrary code remotely.'}, {'type': 'paragraph', 'content': "The vulnerability can be exploited remotely via the router's QoS configuration endpoint and a proof-of-concept exploit is publicly available."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the affected Tenda A21 router device.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): The device's HTTP daemon can crash or become unresponsive, disrupting network services."}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can hijack the program counter to execute arbitrary code on the device, potentially gaining control over it.'}, {'type': 'list_item', 'content': 'Because the exploit is easy to execute remotely and no known mitigations or patches are available, the risk of attack is high.'}, {'type': 'paragraph', 'content': 'Overall, exploitation could lead to loss of control over the device, network disruption, and exposure of sensitive data passing through the router.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the Tenda A21 router's QoS configuration endpoint `/goform/formSetQosBand` for stack-based buffer overflow conditions by sending specially crafted requests with overly long `list` parameters."}, {'type': 'paragraph', 'content': "A proof-of-concept exploit exists that sends a very long string (e.g., thousands of 'A's followed by a delimiter) to the vulnerable endpoint, which can cause the HTTP daemon to crash or become unresponsive, indicating the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided, a network or system administrator could use tools like curl or custom scripts to send HTTP POST requests to the endpoint `/goform/formSetQosBand` with a crafted `list` parameter exceeding 256 bytes to observe if the device crashes or behaves abnormally.'}, {'type': 'list_item', 'content': 'Example command using curl to test the vulnerability (replace <router_ip> with the device IP):'}, {'type': 'list_item', 'content': 'curl -X POST http://<router_ip>/goform/formSetQosBand -d "list=$(python3 -c \'print("A"*300 + ";")\')"'}, {'type': 'paragraph', 'content': 'If the device crashes, becomes unresponsive, or the web interface stops responding after this request, it indicates the vulnerability is present.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, there are no known patches or official mitigations available for this vulnerability in the Tenda A21 router firmware version 1.0.0.0.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Avoid exposing the router's web interface or the vulnerable endpoint `/goform/formSetQosBand` to untrusted networks or the internet."}, {'type': 'list_item', 'content': "Restrict access to the router's management interface to trusted hosts only."}, {'type': 'list_item', 'content': 'Monitor the device for unusual crashes or unresponsiveness that may indicate exploitation attempts.'}, {'type': 'list_item', 'content': 'Consider replacing the affected Tenda A21 router with a different device that is not vulnerable to this issue.'}, {'type': 'paragraph', 'content': 'Long-term remediation involves updating the firmware to a version that fixes the unsafe use of `strcpy` and validates input lengths, but no such update is currently available.'}] [1, 3]