CVE-2026-2907
Stack-Based Buffer Overflow in Tenda HG9 GPON Configuration Endpoint
Publication date: 2026-02-22
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | hg9_firmware | 300001138 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2907 is a critical stack-based buffer overflow vulnerability found in the Tenda HG9 router firmware version 300001138, specifically in the GPON Configuration Endpoint at /boaform/formgponConf.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from unsafe handling of the user-supplied parameters fmgpon_loid and fmgpon_loid_password. These inputs are inserted into a fixed-size 128-byte stack buffer using the unsafe sprintf function without boundary checks.'}, {'type': 'paragraph', 'content': "If an attacker supplies an excessively long fmgpon_loid parameter (e.g., over 120 bytes), it causes a buffer overflow that overwrites the function's return address on the stack."}, {'type': 'paragraph', 'content': 'This overflow can lead to denial of service by crashing the HTTP daemon or potentially enable remote code execution by redirecting execution flow with crafted payloads.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely without local access or physical interaction, and a proof-of-concept exploit is publicly available.'}] [1, 2, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected Tenda HG9 router.
- Denial of Service (DoS) by crashing the HTTP daemon, causing network disruption.
- Potential Remote Code Execution (RCE) allowing an attacker to execute arbitrary code with web server privileges, typically root.
- Remote exploitation without any user interaction or physical access.
- No known mitigations or vendor fixes currently exist, increasing risk.
Successful exploitation could allow attackers to take control of the device, disrupt network services, or use the device as a foothold for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted HTTP POST requests to the /boaform/formgponConf endpoint of the Tenda HG9 router, specifically manipulating the fmgpon_loid and fmgpon_loid_password parameters.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a POST request with an excessively long fmgpon_loid parameter (e.g., over 120 bytes, such as a 300-character string) which triggers the stack-based buffer overflow and causes the HTTP daemon to crash.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability by sending a long fmgpon_loid parameter:'}, {'type': 'list_item', 'content': 'curl -X POST http://[router_ip]/boaform/formgponConf -d "fmgpon_loid=$(python3 -c \'print("A"*300)\')&fmgpon_loid_password=test"'}, {'type': 'paragraph', 'content': 'If the service crashes or becomes unresponsive after this request, it indicates the presence of the vulnerability.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, there are no known vendor-provided fixes or mitigations for this vulnerability.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Restrict network access to the affected router's management interface, especially blocking remote access to the /boaform/formgponConf endpoint."}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious POST requests targeting the vulnerable endpoint with unusually long parameters.'}, {'type': 'list_item', 'content': 'Consider replacing the affected Tenda HG9 router with a device that is not vulnerable or has vendor support and patches.'}, {'type': 'paragraph', 'content': 'Long-term remediation involves firmware updates that replace unsafe functions like sprintf with safer alternatives such as snprintf, implement strict input validation, and enable stack protection mechanisms, but these require vendor action.'}] [1, 3]