CVE-2026-2877
Received Received - Intake
Stack-Based Buffer Overflow in Tenda A18 Httpd Service

Publication date: 2026-02-21

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability has been found in Tenda A18 15.13.07.13. This affects the function strcpy of the file /goform/WifiExtraSet of the component Httpd Service. The manipulation of the argument wpapsk_crypto5g leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2877
EUVD
EUVD-2026-7592
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda a18_firmware 15.13.07.13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2877 is a critical stack-based buffer overflow vulnerability in the Tenda A18 router firmware version 15.13.07.13, specifically in the Httpd Service component at the /goform/WifiExtraSet endpoint.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'wpapsk_crypto5g' parameter, which is attacker-controlled, is copied into a fixed-size 16-byte stack buffer using the unsafe 'strcpy' function without checking the input length."}, {'type': 'paragraph', 'content': 'If the input exceeds 16 bytes, it causes a stack buffer overflow that can overwrite critical stack data such as the Frame Pointer and Return Address, enabling control flow hijacking.'}, {'type': 'paragraph', 'content': "This flaw can be exploited remotely by sending a crafted HTTP POST request with a long 'wpapsk_crypto5g' string, potentially leading to arbitrary code execution or denial of service by crashing the httpd process."}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including remote denial of service (DoS) and remote code execution on the affected Tenda A18 router.'}, {'type': 'paragraph', 'content': "An attacker can exploit the flaw to crash the router's web management interface, making the device unresponsive."}, {'type': 'paragraph', 'content': 'More critically, the attacker may hijack the control flow of the device to execute arbitrary code, potentially compromising the confidentiality, integrity, and availability of the router and the network it serves.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or crafted HTTP POST requests sent to the \'/goform/WifiExtraSet\' endpoint, specifically those containing the \'configured5g\' parameter set to "true" and an excessively long \'wpapsk_crypto5g\' string.'}, {'type': 'paragraph', 'content': "A practical detection method involves capturing network traffic and filtering for POST requests to '/goform/WifiExtraSet' with suspiciously long 'wpapsk_crypto5g' values."}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to capture HTTP traffic targeting the router.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant HTTP POST requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/WifiExtraSet'"}, {'type': 'list_item', 'content': "Inspect captured HTTP POST data for the presence of 'configured5g=true' and check the length of the 'wpapsk_crypto5g' parameter."}, {'type': 'paragraph', 'content': 'Additionally, monitoring for crashes or segmentation faults of the httpd process on the router can indicate exploitation attempts.'}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the vulnerable '/goform/WifiExtraSet' endpoint to trusted networks or users only, to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no official patches or fixes are currently available, consider disabling remote management features on the router if possible.'}, {'type': 'paragraph', 'content': 'Implement network-level protections such as firewall rules to block suspicious POST requests targeting the vulnerable endpoint.'}, {'type': 'paragraph', 'content': 'Monitor the router for signs of exploitation, such as crashes of the httpd service or unresponsiveness of the web management interface.'}, {'type': 'paragraph', 'content': "Long-term mitigation involves replacing the affected device with a non-vulnerable alternative or waiting for a firmware update that addresses the unsafe use of 'strcpy' and input validation."}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart