CVE-2026-2907
Received Received - Intake
Stack-Based Buffer Overflow in Tenda HG9 GPON Configuration Endpoint

Publication date: 2026-02-22

Last updated on: 2026-02-23

Assigner: VulDB

Description
A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This manipulation of the argument fmgpon_loid/fmgpon_loid_password causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2907
EUVD
EUVD-2026-7537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda hg9_firmware 300001138
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2907 is a critical stack-based buffer overflow vulnerability found in the Tenda HG9 router firmware version 300001138, specifically in the GPON Configuration Endpoint at /boaform/formgponConf.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from unsafe handling of the user-supplied parameters fmgpon_loid and fmgpon_loid_password. These inputs are inserted into a fixed-size 128-byte stack buffer using the unsafe sprintf function without boundary checks.'}, {'type': 'paragraph', 'content': "If an attacker supplies an excessively long fmgpon_loid parameter (e.g., over 120 bytes), it causes a buffer overflow that overwrites the function's return address on the stack."}, {'type': 'paragraph', 'content': 'This overflow can lead to denial of service by crashing the HTTP daemon or potentially enable remote code execution by redirecting execution flow with crafted payloads.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without local access or physical interaction, and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]

Impact Analysis

Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected Tenda HG9 router.

  • Denial of Service (DoS) by crashing the HTTP daemon, causing network disruption.
  • Potential Remote Code Execution (RCE) allowing an attacker to execute arbitrary code with web server privileges, typically root.
  • Remote exploitation without any user interaction or physical access.
  • No known mitigations or vendor fixes currently exist, increasing risk.

Successful exploitation could allow attackers to take control of the device, disrupt network services, or use the device as a foothold for further attacks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted HTTP POST requests to the /boaform/formgponConf endpoint of the Tenda HG9 router, specifically manipulating the fmgpon_loid and fmgpon_loid_password parameters.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a POST request with an excessively long fmgpon_loid parameter (e.g., over 120 bytes, such as a 300-character string) which triggers the stack-based buffer overflow and causes the HTTP daemon to crash.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability by sending a long fmgpon_loid parameter:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/boaform/formgponConf -d "fmgpon_loid=$(python3 -c \'print("A"*300)\')&fmgpon_loid_password=test"'}, {'type': 'paragraph', 'content': 'If the service crashes or becomes unresponsive after this request, it indicates the presence of the vulnerability.'}] [3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Currently, there are no known vendor-provided fixes or mitigations for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Restrict network access to the affected router's management interface, especially blocking remote access to the /boaform/formgponConf endpoint."}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious POST requests targeting the vulnerable endpoint with unusually long parameters.'}, {'type': 'list_item', 'content': 'Consider replacing the affected Tenda HG9 router with a device that is not vulnerable or has vendor support and patches.'}, {'type': 'paragraph', 'content': 'Long-term remediation involves firmware updates that replace unsafe functions like sprintf with safer alternatives such as snprintf, implement strict input validation, and enable stack protection mechanisms, but these require vendor action.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart