CVE-2026-2185
Published: 08 February 2026
Summary
CVE-2026-2185 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Rx3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like this stack-based buffer overflow, directly mitigating the CVE by patching the vulnerable firmware.
SI-10 enforces input validation at endpoints like /goform/setBlackRule, preventing the buffer overflow triggered by malformed devName/mac arguments.
SI-16 implements memory protections such as stack canaries and address space randomization to thwart exploitation of the stack-based buffer overflow even if invalid input reaches the vulnerable function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in authenticated web form endpoint (/goform/setBlackRule) on network-exposed router firmware directly enables remote code execution via exploitation of a public-facing application.
NVD Description
A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible…
more
to be carried out remotely. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-2185, published on 2026-02-08, is a stack-based buffer overflow vulnerability affecting Tenda RX3 router firmware version 16.03.13.11. The issue exists in the set_device_name function of the /goform/setBlackRule endpoint within the MAC Filtering Configuration component. Attackers can trigger the overflow by manipulating the devName/mac argument.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low complexity, and a requirement for low privileges such as an authenticated user account. Remote exploitation is possible without user interaction, enabling attackers to achieve high impacts on confidentiality, integrity, and availability, which could result in full compromise of the affected device. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
Advisories and additional details are documented in references such as VulDB entries (https://vuldb.com/?ctiid.344888, https://vuldb.com/?id.344888, https://vuldb.com/?submit.749715) and the Tenda website (https://www.tenda.com.cn/). A proof-of-concept exploit has been published on GitHub (https://github.com/LX-66-LX/cve-new/issues/6) and may be used by attackers.
Details
- CWE(s)