CVE-2026-2905
Stack-Based Buffer Overflow in Tenda HG9 Wireless Setup Endpoint
Publication date: 2026-02-22
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | hg9_firmware | 300001138 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a critical stack-based buffer overflow found in the Tenda HG9 router firmware version V300001138, specifically in the Wireless Configuration Endpoint at /boaform/formWlanSetup.'}, {'type': 'paragraph', 'content': 'The issue arises because the function handling wireless LAN settings retrieves the user-controlled "ssid" parameter and copies it into fixed-size stack buffers without validating the input length.'}, {'type': 'paragraph', 'content': 'If an attacker sends an SSID longer than the buffer size (33 bytes), it causes a stack buffer overflow that can overwrite the stack frame, potentially leading to denial of service or arbitrary code execution on the device.'}, {'type': 'paragraph', 'content': 'The vulnerability is remotely exploitable without authentication, and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including denial of service (DoS) and remote code execution (RCE) on the affected device.
An attacker can exploit the buffer overflow to crash the HTTP daemon or cause the device to reboot, resulting in service disruption.
More critically, the attacker can hijack the program counter to execute arbitrary code, potentially gaining control over the device.
Since the exploit is remotely executable without authentication and is publicly available, the risk of compromise is high.
There are currently no known mitigations or countermeasures, so affected devices should be replaced or patched if possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for HTTP requests targeting the endpoint /boaform/formWlanSetup on Tenda HG9 routers with firmware version V300001138.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves identifying HTTP POST or GET requests containing an "ssid" parameter with a length exceeding 32 characters, which triggers the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical approach is to capture and analyze HTTP requests to the vulnerable endpoint using network monitoring tools such as tcpdump or Wireshark.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic to the device: tcpdump -i <interface> -A 'tcp port 80 and host <router_ip>'"}, {'type': 'list_item', 'content': "Filter captured traffic for requests to /boaform/formWlanSetup containing the ssid parameter: grep -i 'ssid='"}, {'type': 'list_item', 'content': 'Look for ssid values longer than 32 characters, which indicate potential exploitation attempts.'}, {'type': 'paragraph', 'content': "Additionally, monitoring the router's behavior for crashes or reboots after receiving such requests can also indicate exploitation."}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the vulnerable Tenda HG9 router's web interface to untrusted networks to prevent remote exploitation."}, {'type': 'paragraph', 'content': 'Since no official patches or countermeasures currently exist, it is recommended to replace the affected device with an alternative product.'}, {'type': 'paragraph', 'content': "If replacement is not immediately possible, restrict access to the router's management interface by network segmentation or firewall rules."}, {'type': 'paragraph', 'content': 'Monitoring and blocking HTTP requests with excessively long ssid parameters targeting /boaform/formWlanSetup can help reduce risk.'}, {'type': 'paragraph', 'content': 'For firmware developers or maintainers, remediation involves validating the length of the ssid parameter before processing, replacing unsafe functions like strcpy with safer alternatives such as strncpy or snprintf, and enabling stack protection mechanisms during compilation.'}] [2, 3]