CVE-2026-2138
Published: 08 February 2026
Summary
CVE-2026-2138 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Tx9 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of information inputs, directly preventing buffer overflows triggered by manipulated argument lists in the /goform/SetStaticRouteCfg endpoint.
SI-16 enforces memory protection mechanisms like stack canaries, ASLR, and DEP that comprehensively mitigate buffer overflow exploitation leading to arbitrary code execution.
SI-2 requires timely flaw remediation, directly addressing the buffer overflow vulnerability through patching the affected sub_42D03C function in Tenda TX9 firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in router web endpoint (/goform/SetStaticRouteCfg) directly enables remote code execution by authenticated attackers against a public-facing network device interface.
NVD Description
A vulnerability was found in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been made…
more
public and could be used.
Deeper analysisAI
CVE-2026-2138 is a buffer overflow vulnerability affecting Tenda TX9 routers running firmware versions up to 22.03.02.10_multi. The issue resides in the sub_42D03C function within the /goform/SetStaticRouteCfg web endpoint, where manipulation of the argument list triggers the overflow. This flaw, associated with CWE-119 and CWE-120, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-08.
The vulnerability enables remote exploitation by attackers who possess low privileges, such as authenticated users with access to the router's web interface. By sending crafted requests to the affected endpoint, an attacker can trigger the buffer overflow, potentially leading to arbitrary code execution with high impacts on confidentiality, integrity, and availability.
Advisories and references, including entries on VulDB and a GitHub repository, confirm the exploit has been publicly disclosed, with a proof-of-concept available that demonstrates the buffer overflow in the Tenda TX9 Pro via the SetStaticRouteCfg endpoint. No specific patches or mitigation details are outlined in the provided references.
Details
- CWE(s)