CVE-2026-2909
Published: 22 February 2026
Summary
CVE-2026-2909 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Hg9 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow vulnerability by applying vendor firmware patches or updates for the affected Tenda HG9 router.
Requires validation of the pingAddr argument in the /boaform/formPing endpoint to restrict operations within safe memory bounds and prevent the buffer overflow.
Provides memory safeguards such as stack canaries and address space layout randomization to mitigate exploitation of the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the public-facing /boaform/formPing web endpoint on Tenda HG9 router enables remote arbitrary code execution with low privileges, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A vulnerability was detected in Tenda HG9 300001138. This affects an unknown part of the file /boaform/formPing of the component Diagnostic Ping Endpoint. Performing a manipulation of the argument pingAddr results in stack-based buffer overflow. The attack is possible to…
more
be carried out remotely. The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-2909 is a stack-based buffer overflow vulnerability affecting the Tenda HG9 router with firmware version 300001138. The flaw exists in an unknown part of the /boaform/formPing file within the Diagnostic Ping Endpoint component, where manipulation of the "pingAddr" argument triggers the overflow. Published on 2026-02-22, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers with low privileges over the network, requiring low complexity and no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data compromise, or denial of service. The exploit is now public and may be used by threat actors.
Advisories and additional details are documented in references such as the GitHub issue at https://github.com/QIU-DIE/cve-nneeww/issues/11, VulDB entries at https://vuldb.com/?ctiid.347218, https://vuldb.com/?id.347218, and https://vuldb.com/?submit.755211, as well as the Tenda website at https://www.tenda.com.cn/. Practitioners should consult these sources for any recommended mitigations or patches.
Details
- CWE(s)