CVE-2026-2187
8.8 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A stack-based buffer overflow vulnerability exists in the Tenda RX3 router's web management interface. An attacker can remotely send specially crafted data to crash the device or potentially execute arbitrary code.
Who is affected
Users of Tenda RX3 routers with firmware version 16.03.13.11 are affected. A remote attacker could take control of the router, disrupt network service, or use it as a foothold for further attacks.
Recommended fix
Immediately check the Tenda website for a firmware update that addresses CVE-2026-2187 and apply it. If no patch is available, disable remote administration (WAN access) to the router's management interface as a temporary mitigation.
Technical Description
A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-119, CWE-121