CVE-2026-2910
Remote Stack-Based Buffer Overflow in Tenda HG9 /boaform/formPing
Publication date: 2026-02-22
Last updated on: 2026-02-23
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | hg9_firmware | 300001138 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a stack-based buffer overflow found in the Tenda HG9 router firmware version 300001138, specifically in the IPv6 diagnostic ping endpoint located at /boaform/formPing6.'}, {'type': 'paragraph', 'content': 'The flaw occurs in the error handling path of the formPing6 function, which executes a ping6 command using a user-supplied parameter called pingAddr.'}, {'type': 'paragraph', 'content': 'If the ping6 command returns an error containing the string "ping6: bad," the function tries to create a user-friendly error message by copying the pingAddr value into a local stack buffer using sprintf without checking the length of the input.'}, {'type': 'paragraph', 'content': 'Because the buffer is 512 bytes in size, supplying a pingAddr string longer than this causes a buffer overflow that overwrites the return address on the stack.'}, {'type': 'paragraph', 'content': 'This overflow can lead to a crash or enable remote code execution by allowing an attacker to control the execution flow.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have severe impacts on the affected device and network.
- Denial of Service (DoS): The buffer overflow can corrupt the stack and crash the HTTP daemon service, making the router unavailable.
- Remote Code Execution (RCE): By overwriting the return address on the stack, an attacker can redirect execution flow to run arbitrary code, potentially taking full control of the device remotely.
- Confidentiality, Integrity, and Availability (CIA) Impact: The vulnerability compromises all three aspects, allowing attackers to disrupt services, manipulate data, or steal sensitive information.
The exploit is publicly available and easy to execute remotely, increasing the risk of attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending a specially crafted POST request to the vulnerable endpoint /boaform/formPing6 on the Tenda HG9 router. The request should include a pingAddr parameter containing a string longer than 512 bytes, which triggers the stack-based buffer overflow when the ping6 command returns an error containing "ping6: bad".'}, {'type': 'paragraph', 'content': "An example detection method is to send a POST request with a pingAddr parameter of excessive length (e.g., 600 'A's) to the target device and observe if the device crashes or behaves abnormally, indicating the overflow."}, {'type': 'paragraph', 'content': 'A sample command using curl to test the vulnerability might look like this:'}, {'type': 'list_item', 'content': 'curl -X POST http://<target-ip>/boaform/formPing6 -d "pingAddr=$(python3 -c \'print("A"*600)\')"'}, {'type': 'paragraph', 'content': 'If the device crashes, restarts, or returns an error related to the ping6 command, it is likely vulnerable.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Currently, there are no known patches or official mitigations available for this vulnerability in the Tenda HG9 router firmware version V300001138.'}, {'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Restrict remote access to the router's management interface to trusted networks only, preventing remote attackers from reaching the vulnerable endpoint."}, {'type': 'list_item', 'content': 'Disable or block access to the /boaform/formPing6 endpoint if possible, to prevent exploitation.'}, {'type': 'list_item', 'content': 'Monitor network traffic for suspicious POST requests targeting /boaform/formPing6 with unusually long pingAddr parameters.'}, {'type': 'list_item', 'content': 'Consider replacing the affected device with a different product that is not vulnerable, as recommended by the vendor and security advisories.'}] [2, 3]