CVE-2026-2186
8.8 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A critical vulnerability exists in the Tenda RX3 router's web management interface. By sending specially crafted network requests, a remote attacker can trigger a stack-based buffer overflow, potentially taking control of the device.
Who is affected
Users of Tenda RX3 routers with firmware version 16.03.13.11 are affected. An unauthenticated attacker on the same network could exploit this to crash the router or execute arbitrary code, leading to a complete compromise.
Recommended fix
Immediately check the Tenda website for a firmware update that addresses this issue and apply it. If no patch is available, restrict access to the router's admin interface to trusted wired connections only and disable remote administration.
Technical Description
A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-119, CWE-121