CVE-2026-2191
7.2 HIGHPublished 2026-02-08 · Modified 2026-02-09 · Undergoing Analysis
Quick Summary
A remote attacker can send specially crafted data to a vulnerable Tenda AC9 router, causing a stack-based buffer overflow. This is a serious flaw because it allows unauthenticated attackers to potentially take control of the device over the network.
Who is affected
Users of Tenda AC9 routers with firmware version 15.03.06.42_multi are affected. An attacker could crash the device or execute arbitrary code to gain full control.
Recommended fix
Immediately check the Tenda website for a firmware update that addresses CVE-2026-2191. If no patch is available, consider disabling remote administration and restricting network access to the router's web interface as a temporary mitigation.
Technical Description
A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
CVSS Details
Attack Vector
NETWORK
Complexity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-119, CWE-121