CVE-2026-2877
Stack-Based Buffer Overflow in Tenda A18 Httpd Service
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | a18_firmware | 15.13.07.13 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2877 is a critical stack-based buffer overflow vulnerability in the Tenda A18 router firmware version 15.13.07.13, specifically in the Httpd Service component at the /goform/WifiExtraSet endpoint.'}, {'type': 'paragraph', 'content': "The vulnerability occurs because the 'wpapsk_crypto5g' parameter, which is attacker-controlled, is copied into a fixed-size 16-byte stack buffer using the unsafe 'strcpy' function without checking the input length."}, {'type': 'paragraph', 'content': 'If the input exceeds 16 bytes, it causes a stack buffer overflow that can overwrite critical stack data such as the Frame Pointer and Return Address, enabling control flow hijacking.'}, {'type': 'paragraph', 'content': "This flaw can be exploited remotely by sending a crafted HTTP POST request with a long 'wpapsk_crypto5g' string, potentially leading to arbitrary code execution or denial of service by crashing the httpd process."}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including remote denial of service (DoS) and remote code execution on the affected Tenda A18 router.'}, {'type': 'paragraph', 'content': "An attacker can exploit the flaw to crash the router's web management interface, making the device unresponsive."}, {'type': 'paragraph', 'content': 'More critically, the attacker may hijack the control flow of the device to execute arbitrary code, potentially compromising the confidentiality, integrity, and availability of the router and the network it serves.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or crafted HTTP POST requests sent to the \'/goform/WifiExtraSet\' endpoint, specifically those containing the \'configured5g\' parameter set to "true" and an excessively long \'wpapsk_crypto5g\' string.'}, {'type': 'paragraph', 'content': "A practical detection method involves capturing network traffic and filtering for POST requests to '/goform/WifiExtraSet' with suspiciously long 'wpapsk_crypto5g' values."}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to capture HTTP traffic targeting the router.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant HTTP POST requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/WifiExtraSet'"}, {'type': 'list_item', 'content': "Inspect captured HTTP POST data for the presence of 'configured5g=true' and check the length of the 'wpapsk_crypto5g' parameter."}, {'type': 'paragraph', 'content': 'Additionally, monitoring for crashes or segmentation faults of the httpd process on the router can indicate exploitation attempts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the vulnerable '/goform/WifiExtraSet' endpoint to trusted networks or users only, to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no official patches or fixes are currently available, consider disabling remote management features on the router if possible.'}, {'type': 'paragraph', 'content': 'Implement network-level protections such as firewall rules to block suspicious POST requests targeting the vulnerable endpoint.'}, {'type': 'paragraph', 'content': 'Monitor the router for signs of exploitation, such as crashes of the httpd service or unresponsiveness of the web management interface.'}, {'type': 'paragraph', 'content': "Long-term mitigation involves replacing the affected device with a non-vulnerable alternative or waiting for a firmware update that addresses the unsafe use of 'strcpy' and input validation."}] [1, 3]