CVE-2026-2872
Received Received - Intake
Stack-Based Buffer Overflow in Tenda A21 MAC Filtering Endpoint

Publication date: 2026-02-21

Last updated on: 2026-02-23

Assigner: VulDB

Description
A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. Such manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2872
EUVD
EUVD-2026-7516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda a21_firmware 1.0.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2872 is a critical stack-based buffer overflow vulnerability found in the Tenda A21 router, version 1.0.0.0. It exists in the MAC Filtering Configuration Endpoint, specifically in the function set_device_name within the file /goform/setBlackRule.

The vulnerability arises because the function uses the unsafe sprintf function to write the devName parameter into a fixed-size stack buffer without validating the input length. This allows an attacker to provide an excessively long devName value, causing a buffer overflow that overwrites the stack, including the saved frame pointer and return address.

This overflow can be exploited remotely without local access or physical interaction, potentially allowing the attacker to control the instruction pointer and execute arbitrary code on the device.

Impact Analysis

[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to several severe impacts on the affected device.'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can execute arbitrary shellcode or return-oriented programming (ROP) chains, leading to full system compromise with root privileges.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending a long payload can crash the router's HTTP daemon process, causing service disruption."}, {'type': 'list_item', 'content': 'Compromise of Confidentiality, Integrity, and Availability: The buffer overflow can impact all three security aspects of the device.'}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for suspicious HTTP requests targeting the endpoint /goform/setBlackRule on Tenda A21 routers running firmware version 1.0.0.0. Specifically, look for requests that include an excessively long devName parameter, which is used to trigger the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use network traffic inspection tools or intrusion detection systems (IDS) to flag unusually long or malformed devName parameters in POST requests to /goform/setBlackRule.'}, {'type': 'paragraph', 'content': 'For example, using curl or similar tools, you can simulate a test request to check if the device responds abnormally or crashes when given a long devName string.'}, {'type': 'list_item', 'content': 'Use curl to send a long devName parameter to the vulnerable endpoint: curl -X POST http://<router-ip>/goform/setBlackRule -d "devName=$(python3 -c \'print("A"*10000)\')&mac=00:11:22:33:44:55"'}, {'type': 'list_item', 'content': 'Monitor router logs or HTTP daemon behavior for crashes or restarts after such requests.'}, {'type': 'list_item', 'content': 'Use network IDS rules to detect unusually long devName parameters in HTTP POST requests to /goform/setBlackRule.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, no official mitigations or patches are available for this vulnerability in the affected Tenda A21 firmware version 1.0.0.0.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Restrict remote access to the router's management interface to trusted networks or IP addresses to prevent exploitation from external sources."}, {'type': 'list_item', 'content': 'Disable or limit the MAC filtering configuration feature if possible, to reduce the attack surface.'}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious requests targeting /goform/setBlackRule and block or alert on such activity.'}, {'type': 'list_item', 'content': 'Consider replacing the affected device with a more secure model or firmware version that does not contain this vulnerability.'}, {'type': 'paragraph', 'content': 'Long term, the vulnerability can be fixed by updating the firmware to replace unsafe sprintf calls with safer alternatives like snprintf and adding input validation to limit devName length.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart