CVE-2026-2872
Published: 21 February 2026
Summary
CVE-2026-2872 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda A21 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflow by validating the devName/mac argument in the /goform/setBlackRule endpoint prior to processing.
Mitigates the vulnerability by identifying, testing, and deploying firmware patches from the vendor to remediate the specific buffer overflow flaw.
Protects against exploitation of the stack-based buffer overflow through memory safeguards such as stack canaries, ASLR, and DEP.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remotely exploitable stack-based buffer overflow in a public-facing web endpoint (/goform/setBlackRule) on Tenda A21 router firmware, enabling RCE, which directly maps to T1190: Exploit Public-Facing Application.
NVD Description
A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. Such manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack…
more
may be performed from remote. The exploit has been disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-2872 is a stack-based buffer overflow vulnerability in Tenda A21 firmware version 1.0.0.0, published on 2026-02-21. It affects the set_device_name function within the /goform/setBlackRule endpoint of the MAC Filtering Configuration component. The flaw arises from improper handling of the devName/mac argument, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability enables remote exploitation by an attacker with low privileges (PR:L per CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, scoring 8.8). No user interaction is required, and low complexity suffices for manipulation of the vulnerable argument. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially leading to remote code execution on the affected device.
Advisories on VulDB (ctiid.347109, id.347109, submit.754634) detail the issue and confirm remote exploitability. A GitHub repository (QIU-DIE/cve-nneeww/issues/3) has publicly disclosed an exploit. Security practitioners should check the vendor site at tenda.com.cn for patches or firmware updates to mitigate exposure.
Details
- CWE(s)