CVE-2026-2886
Remote Stack-Based Buffer Overflow in Tenda A21 set_device_name
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | a21_firmware | 1.0.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2886 is a critical stack-based buffer overflow vulnerability found in the Tenda A21 router firmware version 1.0.0.0. It exists in the function set_device_name within the /goform/SetOnlineDevName endpoint.
The vulnerability arises because the function set_device_name uses an unsafe sprintf call to copy the user-controlled devName parameter into a fixed-size 256-byte stack buffer without validating the length of devName. If devName exceeds approximately 252 bytes, it causes a buffer overflow, overwriting the stack frame and the saved return address.
This flaw allows an attacker to remotely exploit the vulnerability by sending a specially crafted devName parameter, potentially leading to remote code execution or denial of service.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE): An attacker can exploit the buffer overflow to overwrite the return address and execute arbitrary code with root privileges on the router.'}, {'type': 'list_item', 'content': "Denial of Service (DoS): Sending an oversized devName parameter can crash the HTTP daemon process, disabling the router's web management interface and causing service disruption."}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a crafted HTTP POST request to the endpoint /goform/SetOnlineDevName with an oversized devName parameter. If the device is vulnerable, the HTTP daemon process may crash or exhibit abnormal behavior.'}, {'type': 'paragraph', 'content': "A proof-of-concept Python script exists that sends a POST request with a devName parameter consisting of 1000 'A' characters and a valid mac address to trigger the overflow."}, {'type': 'paragraph', 'content': 'To detect the vulnerability manually, you can use curl or similar tools to send a test POST request like the following:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/goform/SetOnlineDevName -d "devName=$(python3 -c \'print("A"*1000)\')&mac=00:11:22:33:44:55"'}, {'type': 'paragraph', 'content': 'If the router crashes, becomes unresponsive, or the web management interface stops working after this request, it indicates the presence of the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the vulnerable endpoint to untrusted networks and restricting access to the router's web management interface."}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unsafe handling of the devName parameter, network administrators should implement strict input validation or filtering on incoming requests to the /goform/SetOnlineDevName endpoint to block oversized devName values.'}, {'type': 'paragraph', 'content': 'If possible, update the firmware to a version where the unsafe sprintf call is replaced with a safer snprintf call and input length validation is enforced. If no patch is available, consider replacing the affected device with a more secure alternative.'}] [1, 3]