CVE-2026-2905
Received Received - Intake
Stack-Based Buffer Overflow in Tenda HG9 Wireless Setup Endpoint

Publication date: 2026-02-22

Last updated on: 2026-02-23

Assigner: VulDB

Description
A vulnerability was identified in Tenda HG9 300001138. This impacts an unknown function of the file /boaform/formWlanSetup of the component Wireless Configuration Endpoint. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2905
EUVD
EUVD-2026-7548
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda hg9_firmware 300001138
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability is a critical stack-based buffer overflow found in the Tenda HG9 router firmware version V300001138, specifically in the Wireless Configuration Endpoint at /boaform/formWlanSetup.'}, {'type': 'paragraph', 'content': 'The issue arises because the function handling wireless LAN settings retrieves the user-controlled "ssid" parameter and copies it into fixed-size stack buffers without validating the input length.'}, {'type': 'paragraph', 'content': 'If an attacker sends an SSID longer than the buffer size (33 bytes), it causes a stack buffer overflow that can overwrite the stack frame, potentially leading to denial of service or arbitrary code execution on the device.'}, {'type': 'paragraph', 'content': 'The vulnerability is remotely exploitable without authentication, and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]

Impact Analysis

This vulnerability can have severe impacts including denial of service (DoS) and remote code execution (RCE) on the affected device.

An attacker can exploit the buffer overflow to crash the HTTP daemon or cause the device to reboot, resulting in service disruption.

More critically, the attacker can hijack the program counter to execute arbitrary code, potentially gaining control over the device.

Since the exploit is remotely executable without authentication and is publicly available, the risk of compromise is high.

There are currently no known mitigations or countermeasures, so affected devices should be replaced or patched if possible.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for HTTP requests targeting the endpoint /boaform/formWlanSetup on Tenda HG9 routers with firmware version V300001138.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying HTTP POST or GET requests containing an "ssid" parameter with a length exceeding 32 characters, which triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture and analyze HTTP requests to the vulnerable endpoint using network monitoring tools such as tcpdump or Wireshark.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic to the device: tcpdump -i <interface> -A 'tcp port 80 and host <router_ip>'"}, {'type': 'list_item', 'content': "Filter captured traffic for requests to /boaform/formWlanSetup containing the ssid parameter: grep -i 'ssid='"}, {'type': 'list_item', 'content': 'Look for ssid values longer than 32 characters, which indicate potential exploitation attempts.'}, {'type': 'paragraph', 'content': "Additionally, monitoring the router's behavior for crashes or reboots after receiving such requests can also indicate exploitation."}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the vulnerable Tenda HG9 router's web interface to untrusted networks to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no official patches or countermeasures currently exist, it is recommended to replace the affected device with an alternative product.'}, {'type': 'paragraph', 'content': "If replacement is not immediately possible, restrict access to the router's management interface by network segmentation or firewall rules."}, {'type': 'paragraph', 'content': 'Monitoring and blocking HTTP requests with excessively long ssid parameters targeting /boaform/formWlanSetup can help reduce risk.'}, {'type': 'paragraph', 'content': 'For firmware developers or maintainers, remediation involves validating the length of the ssid parameter before processing, replacing unsafe functions like strcpy with safer alternatives such as strncpy or snprintf, and enabling stack protection mechanisms during compilation.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2905. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart