CVE-2026-2870
Published: 21 February 2026
Summary
CVE-2026-2870 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda A21 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of the manipulated 'list' argument in set_qosMib_list to prevent stack-based buffer overflow exploitation.
Implements memory protections such as stack canaries or ASLR to mitigate stack-based buffer overflow vulnerabilities like this one.
Mandates timely remediation of identified flaws, including patching the buffer overflow in Tenda A21 firmware version 1.0.0.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the web interface (/goform/formSetQosBand) of a public-facing Tenda A21 router enables remote code execution with low privileges and complexity, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A security flaw has been discovered in Tenda A21 1.0.0.0. Affected by this issue is the function set_qosMib_list of the file /goform/formSetQosBand. The manipulation of the argument list results in stack-based buffer overflow. The attack can be executed remotely. The…
more
exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-2870 is a stack-based buffer overflow vulnerability affecting the Tenda A21 router on firmware version 1.0.0.0. The issue resides in the set_qosMib_list function within the /goform/formSetQosBand file, where manipulation of the argument list triggers the overflow.
Attackers with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8. Successful exploitation may enable remote code execution, with a public exploit already released.
Advisories on VulDB (ctiid.347107, id.347107, submit.754627) document the vulnerability, and a GitHub issue at QIU-DIE/cve-nneeww/issues/1 provides exploit details. Practitioners should consult the Tenda website (tenda.com.cn) for any firmware patches or mitigation guidance, as no specific updates are detailed in the available references.
The public availability of the exploit elevates the risk of real-world attacks against unpatched Tenda A21 devices.
Details
- CWE(s)