Executive Summary

CVE-2026-2886 is a critical stack-based buffer overflow vulnerability found in the Tenda A21 router firmware version 1.0.0.0. It exists in the function set_device_name within the /goform/SetOnlineDevName endpoint.

The vulnerability arises because the function set_device_name uses an unsafe sprintf call to copy the user-controlled devName parameter into a fixed-size 256-byte stack buffer without validating the length of devName. If devName exceeds approximately 252 bytes, it causes a buffer overflow, overwriting the stack frame and the saved return address.

This flaw allows an attacker to remotely exploit the vulnerability by sending a specially crafted devName parameter, potentially leading to remote code execution or denial of service.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can exploit the buffer overflow to overwrite the return address and execute arbitrary code with root privileges on the router.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending an oversized devName parameter can crash the HTTP daemon process, disabling the router's web management interface and causing service disruption."}] [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted HTTP POST request to the endpoint /goform/SetOnlineDevName with an oversized devName parameter. If the device is vulnerable, the HTTP daemon process may crash or exhibit abnormal behavior.'}, {'type': 'paragraph', 'content': "A proof-of-concept Python script exists that sends a POST request with a devName parameter consisting of 1000 'A' characters and a valid mac address to trigger the overflow."}, {'type': 'paragraph', 'content': 'To detect the vulnerability manually, you can use curl or similar tools to send a test POST request like the following:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/goform/SetOnlineDevName -d "devName=$(python3 -c \'print("A"*1000)\')&mac=00:11:22:33:44:55"'}, {'type': 'paragraph', 'content': 'If the router crashes, becomes unresponsive, or the web management interface stops working after this request, it indicates the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the vulnerable endpoint to untrusted networks and restricting access to the router's web management interface."}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unsafe handling of the devName parameter, network administrators should implement strict input validation or filtering on incoming requests to the /goform/SetOnlineDevName endpoint to block oversized devName values.'}, {'type': 'paragraph', 'content': 'If possible, update the firmware to a version where the unsafe sprintf call is replaced with a safer snprintf call and input length validation is enforced. If no patch is available, consider replacing the affected device with a more secure alternative.'}] [1, 3]

Useful 0 Not Useful 0