CVE-2026-2202
Published: 09 February 2026
Summary
CVE-2026-2202 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the shareSpeed argument in the /goform/WifiGuestSet HTTP request to prevent buffer overflow from malformed inputs.
Mandates timely identification, patching, and remediation of the buffer overflow flaw in Tenda AC8 firmware version 16.03.33.05.
Enforces memory protections like ASLR and non-executable stacks to mitigate arbitrary code execution from the shareSpeed buffer overflow exploit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow vulnerability in the router's httpd web interface (/goform/WifiGuestSet) enables remote code execution for low-privileged authenticated attackers, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was detected in Tenda AC8 16.03.33.05. Affected is the function fromSetWifiGusetBasic of the file /goform/WifiGuestSet of the component httpd. The manipulation of the argument shareSpeed results in buffer overflow. The attack may be launched remotely. The exploit is…
more
now public and may be used.
Deeper analysisAI
CVE-2026-2202 is a buffer overflow vulnerability affecting the Tenda AC8 router on firmware version 16.03.33.05. The issue resides in the function fromSetWifiGusetBasic within the /goform/WifiGuestSet file of the httpd component, where manipulation of the shareSpeed argument triggers the overflow. Associated with CWE-119 and CWE-120, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.
The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users on the network. Exploitation requires low complexity and no user interaction, potentially granting high-impact access to confidentiality, integrity, and availability. This could allow arbitrary code execution on the affected device.
Advisories documented on vuldb.com (e.g., ctiid.344905, id.344905) detail the issue, while a public proof-of-concept exploit is available on GitHub at https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/WifiGuestSet-sharespeed-bufferoverflow.md, including a specific POC section. No vendor patches or explicit mitigations are referenced in the provided information.
The exploit is publicly available and may be used, as noted in the vulnerability description published on 2026-02-09.
Details
- CWE(s)