CVE-2026-2140
8.8 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A buffer overflow vulnerability exists in certain Tenda TX9 routers. Attackers can remotely send specially crafted network requests to crash the device or potentially run malicious code.
Who is affected
Users of Tenda TX9 routers with firmware up to version 22.03.02.10_multi are affected. An attacker could take control of the router, disrupt internet access, or access the local network.
Recommended fix
Immediately update the router's firmware to a version newer than 22.03.02.10_multi, if available from Tenda. If no patch exists, disable remote administration and restrict access to the router's web interface.
Technical Description
A vulnerability was identified in Tenda TX9 up to 22.03.02.10_multi. Affected by this issue is the function sub_4223E0 of the file /goform/setMacFilterCfg. Such manipulation of the argument deviceList leads to buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-119, CWE-120
References
- https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md
- https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md#poc
- https://vuldb.com/?ctiid.344775
- https://vuldb.com/?id.344775
- https://vuldb.com/?submit.747251
- https://vuldb.com/?submit.749747
- https://www.tenda.com.cn/