Cyber Resilience

CVE-2026-2870

HighPublic PoC

Published: 21 February 2026

Published
21 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0059 43.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2870 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda A21 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-2870 is a stack-based buffer overflow vulnerability affecting the Tenda A21 router on firmware version 1.0.0.0. The issue resides in the set_qosMib_list function within the /goform/formSetQosBand file, where manipulation of the argument list triggers the overflow.

Attackers with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8. Successful exploitation may enable remote code execution, with a public exploit already released.

Advisories on VulDB (ctiid.347107, id.347107, submit.754627) document the vulnerability, and a GitHub issue at QIU-DIE/cve-nneeww/issues/1 provides exploit details. Practitioners should consult the Tenda website (tenda.com.cn) for any firmware patches or mitigation guidance, as no specific updates are detailed in the available references.

The public availability of the exploit elevates the risk of real-world attacks against unpatched Tenda A21 devices.

EU & UK References

Vulnerability details

A security flaw has been discovered in Tenda A21 1.0.0.0. Affected by this issue is the function set_qosMib_list of the file /goform/formSetQosBand. The manipulation of the argument list results in stack-based buffer overflow. The attack can be executed remotely. The…

more

exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the web interface (/goform/formSetQosBand) of a public-facing Tenda A21 router enables remote code execution with low privileges and complexity, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2886Same product: Tenda A21
CVE-2026-2872Same product: Tenda A21
CVE-2026-2871Same product: Tenda A21
CVE-2026-2874Same product: Tenda A21
CVE-2026-2873Same product: Tenda A21
CVE-2025-8017Same vendor: Tenda
CVE-2025-14665Same vendor: Tenda
CVE-2026-5604Same vendor: Tenda
CVE-2025-11386Same vendor: Tenda
CVE-2025-7792Same vendor: Tenda

Affected Assets

tenda
a21 firmware
1.0.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the manipulated 'list' argument in set_qosMib_list to prevent stack-based buffer overflow exploitation.

prevent

Implements memory protections such as stack canaries or ASLR to mitigate stack-based buffer overflow vulnerabilities like this one.

prevent

Mandates timely remediation of identified flaws, including patching the buffer overflow in Tenda A21 firmware version 1.0.0.0.

References