CVE-2026-2873
Remote Stack-Based Buffer Overflow in Tenda A21 WiFi Scheduler
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | a21_firmware | 1.0.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2873 is a critical stack-based buffer overflow vulnerability found in the Tenda A21 router firmware version 1.0.0.0. The flaw exists in the function setSchedWifi within the /goform/openSchedWifi endpoint. It arises because the parameters schedStartTime and schedEndTime, which are user-supplied, are copied into a fixed-size buffer of 25 bytes using the unsafe strcpy function without any input length validation.
An attacker can supply oversized strings for these parameters, causing a buffer overflow that leads to memory corruption. This vulnerability can be exploited remotely without local access.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to Denial of Service (DoS) by crashing the HTTP daemon process on the router, making the device unavailable.
More severely, it can enable Remote Code Execution (RCE), allowing an attacker to execute arbitrary code on the device, potentially compromising its confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for attempts to access the vulnerable endpoint /goform/openSchedWifi with unusually long or malformed schedStartTime or schedEndTime parameters.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send crafted HTTP requests to the /goform/openSchedWifi endpoint with oversized schedStartTime or schedEndTime parameters and observe if the device crashes or the HTTP daemon process times out, indicating a potential buffer overflow.'}, {'type': 'paragraph', 'content': 'For example, using curl or similar tools, you can test with commands like:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/goform/openSchedWifi -d "schedStartTime=1500150015001500&schedEndTime=0000"'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/goform/openSchedWifi -d "schedStartTime=$(printf \'1500%.0s\' {1..10000})&schedEndTime=0000"'}, {'type': 'paragraph', 'content': 'If the device crashes, becomes unresponsive, or the HTTP service times out after such requests, it indicates the presence of the vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable /goform/openSchedWifi endpoint to trusted users only, such as by implementing firewall rules or network segmentation to limit remote access.
Additionally, monitoring and blocking HTTP requests with suspiciously long schedStartTime or schedEndTime parameters can help prevent exploitation.
Since no official patch or firmware update is currently available, it is recommended to replace the affected device or firmware with a secure alternative if possible.
Long term, the vulnerability should be addressed by the vendor through proper input validation, replacing unsafe functions like strcpy with safer alternatives such as strncpy, and ensuring buffer sizes are adequate.