Cyber Resilience

CVE-2026-2191

HighPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 40.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2191 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac9 Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2191 is a stack-based buffer overflow vulnerability affecting the Tenda AC9 router on firmware version 15.03.06.42_multi. The flaw resides in the formGetDdosDefenceList function, where manipulation of the security.ddos.map argument triggers the overflow. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating network-based exploitation with low attack complexity, no user interaction required, but high privileges (such as administrative access) needed. An attacker with sufficient privileges can remotely initiate the exploit to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.

Advisories reference a public exploit in a GitHub repository (https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda3.md) and multiple VulDB entries (https://vuldb.com/?ctiid.344894, https://vuldb.com/?id.344894, https://vuldb.com/?submit.749800), noting that the exploit is available for attacks. The Tenda vendor site (https://www.tenda.com.cn/) should be consulted for any patches or mitigation guidance.

The exploit has been made publicly available, increasing the risk of real-world attacks against vulnerable Tenda AC9 devices.

EU & UK References

Vulnerability details

A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and…

more

could be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authenticated RCE via buffer overflow in public-facing router web interface directly maps to exploitation of a network-accessible application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6016Same product: Tenda Ac9
CVE-2026-2192Same product: Tenda Ac9
CVE-2026-6015Same product: Tenda Ac9
CVE-2025-29387Same product: Tenda Ac9
CVE-2025-22946Same product: Tenda Ac9
CVE-2025-29385Same product: Tenda Ac9
CVE-2025-29386Same product: Tenda Ac9
CVE-2025-29384Same product: Tenda Ac9
CVE-2025-22949Same product: Tenda Ac9
CVE-2025-7417Same vendor: Tenda

Affected Assets

tenda
ac9 firmware
15.03.06.42_multi

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of the security.ddos.map argument in formGetDdosDefenceList to block the stack-based buffer overflow.

prevent

Applies memory protection mechanisms that can prevent successful exploitation of the stack overflow despite the coding flaw.

prevent

Limits administrative privileges required for remote access to the vulnerable function, reducing the pool of potential attackers.

References