CVE-2026-2876

High

Published: 21 February 2026

Published

21 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2876 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda A18 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates the deviceList argument in parse_macfilter_rule to prevent stack-based buffer overflow from malformed or oversized inputs.

SI-16 Memory Protection good match

prevent

Implements memory protections like stack canaries and non-executable stacks to mitigate exploitation of the buffer overflow vulnerability.

SI-2 Flaw Remediation good match

preventrecover

Remediates the specific stack-based buffer overflow flaw in /goform/setBlackRule through timely patching and flaw correction processes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in router's web management interface (/goform/setBlackRule) allows remote exploitation over network (AV:N/PR:L) for code execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1210 (Exploitation of Remote Services).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was determined in Tenda A18 15.13.07.13. This affects the function parse_macfilter_rule of the file /goform/setBlackRule. This manipulation of the argument deviceList causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and…

may be utilized.

Deeper analysisAI

CVE-2026-2876 is a stack-based buffer overflow vulnerability affecting the Tenda A18 router on firmware version 15.13.07.13, published on 2026-02-21. The flaw exists in the parse_macfilter_rule function of the /goform/setBlackRule file, where manipulation of the deviceList argument triggers the overflow. It is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability is remotely exploitable over the network with low attack complexity, requiring low privileges such as basic authentication but no user interaction. An attacker could send a crafted request to the affected endpoint, causing the buffer overflow and potentially achieving high impacts including unauthorized access to sensitive data, modification of system integrity, or denial of service through crashes or code execution.

Advisories on VulDB (ctiid.347114, id.347114, submit.754675) and a GitHub issue (master-abc/cve/issues/38) document the vulnerability details, noting that the exploit has been publicly disclosed and may be utilized. The Tenda manufacturer's website (tenda.com.cn) is referenced for potential further information.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

a18 firmware

15.13.07.13

CVEs Like This One

CVE-2025-0848Same product: Tenda A18

CVE-2026-2877Same product: Tenda A18

CVE-2026-2930Same product: Tenda A18

CVE-2025-7416Same vendor: Tenda

CVE-2025-8131Same vendor: Tenda

CVE-2025-7855Same vendor: Tenda

CVE-2025-14994Same vendor: Tenda

CVE-2025-9087Same vendor: Tenda

CVE-2025-7548Same vendor: Tenda

CVE-2025-9605Same vendor: Tenda

References

https://github.com/master-abc/cve/issues/38
Issue Tracking · cna@vuldb.com
https://vuldb.com/?ctiid.347114
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347114
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.754675
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com