CVE-2026-24109
Published: 02 March 2026
Summary
CVE-2026-24109 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda W20E Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates validation of user-controlled inputs like picName at system entry points to prevent buffer overflows from unbounded data passed to sprintf.
Requires timely identification, reporting, and correction of flaws such as this buffer overflow vulnerability via firmware patching.
Implements memory protections like address space randomization or stack guards to mitigate exploitation of buffer overflows leading to memory corruption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated buffer overflow in public-facing router web interface directly enables T1190 (Exploit Public-Facing Application) for RCE.
NVD Description
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `picName`. When this value is used in `sprintf` without validating variable sizes, it could lead to a buffer overflow vulnerability.
Deeper analysisAI
CVE-2026-24109 is a buffer overflow vulnerability (CWE-120) discovered in the Tenda W20E router running firmware version V4.0br_V15.11.0.6. The flaw arises when the `picName` parameter, which attackers can control, is passed to a `sprintf` function without proper bounds checking or variable size validation. This unsafe string handling allows arbitrary data to overflow fixed-size buffers, potentially leading to memory corruption.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no authentication or user interaction required. Any unauthenticated attacker can send crafted requests controlling the `picName` value to trigger the buffer overflow, potentially achieving remote code execution, data theft, or device denial of service with high impacts on confidentiality, integrity, and availability.
Vendor references include a Tenda advisory at https://www.tenda.com.cn/material/show/2707, along with CVE report repositories at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24109. Security practitioners should consult these for patching instructions or firmware updates to mitigate the issue.
Details
- CWE(s)