CVE-2026-24110
Published: 02 March 2026
Summary
CVE-2026-24110 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Tenda W20E Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of size validation for addDhcpRules data before sscanf processing, preventing buffer overflows in dhcpsIndex, dhcpsIP, and dhcpsMac.
Requires timely identification, reporting, and patching of the buffer overflow flaw in Tenda W20E firmware version V4.0br_V15.11.0.6.
Provides memory safeguards such as stack canaries or non-executable stacks to mitigate exploitation of the buffer overflow even if input validation is incomplete.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing router web/management interface (addDhcpRule) directly enables remote unauthenticated exploitation for code execution or device compromise.
NVD Description
An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may send overly long `addDhcpRules` data. When these rules enter the `addDhcpRule` function and are processed by `ret = sscanf(pRule, " %d\t%[^\t]\t%[^\n\r\t]", &dhcpsIndex, dhcpsIP, dhcpsMac);`, the lack of size validation for…
more
the rules could lead to buffer overflows in `dhcpsIndex`, `dhcpsIP`, and `dhcpsMac`.
Deeper analysisAI
CVE-2026-24110 is a buffer overflow vulnerability (CWE-120) discovered in Tenda W20E router firmware version V4.0br_V15.11.0.6. The flaw occurs when attackers send overly long `addDhcpRules` data, which is processed by the `addDhcpRule` function via the command `ret = sscanf(pRule, " %d\t%[^\t]\t%[^\n\r\t]", &dhcpsIndex, dhcpsIP, dhcpsMac);`. Due to the absence of size validation, this can overflow fixed-size buffers for `dhcpsIndex`, `dhcpsIP`, and `dhcpsMac`.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution or full device compromise through the buffer overflows.
Advisories and mitigation guidance are provided by Tenda at https://www.tenda.com.cn/material/show/2707 and in a CVE report on GitHub at https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2026-24110. Security practitioners should review these resources for available patches, firmware updates, or recommended workarounds.
Details
- CWE(s)