CVE-2026-2202

HighPublic PoC

Published: 09 February 2026

Published

09 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in Tenda AC8 16.03.33.05. Affected is the function fromSetWifiGusetBasic of the file /goform/WifiGuestSet of the component httpd. The manipulation of the argument shareSpeed results in buffer overflow. The attack may be launched remotely. The exploit is…

now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates the shareSpeed argument in the /goform/WifiGuestSet HTTP request to prevent buffer overflow from malformed inputs.

SI-2 Flaw Remediation good match

preventdetectrecover

Mandates timely identification, patching, and remediation of the buffer overflow flaw in Tenda AC8 firmware version 16.03.33.05.

SI-16 Memory Protection good match

prevent

Enforces memory protections like ASLR and non-executable stacks to mitigate arbitrary code execution from the shareSpeed buffer overflow exploit.

Security SummaryAI

CVE-2026-2202 is a buffer overflow vulnerability affecting the Tenda AC8 router on firmware version 16.03.33.05. The issue resides in the function fromSetWifiGusetBasic within the /goform/WifiGuestSet file of the httpd component, where manipulation of the shareSpeed argument triggers the overflow. Associated with CWE-119 and CWE-120, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users on the network. Exploitation requires low complexity and no user interaction, potentially granting high-impact access to confidentiality, integrity, and availability. This could allow arbitrary code execution on the affected device.

Advisories documented on vuldb.com (e.g., ctiid.344905, id.344905) detail the issue, while a public proof-of-concept exploit is available on GitHub at https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/WifiGuestSet-sharespeed-bufferoverflow.md, including a specific POC section. No vendor patches or explicit mitigations are referenced in the provided information.

The exploit is publicly available and may be used, as noted in the vulnerability description published on 2026-02-09.

Details

CWE(s): CWE-119 CWE-120

Affected Products

tenda

ac8 firmware

16.03.33.05

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Buffer overflow vulnerability in the router's httpd web interface (/goform/WifiGuestSet) enables remote code execution for low-privileged authenticated attackers, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/WifiGuestSet-sharespeed-bufferoverflow.md
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/WifiGuestSet-sharespeed-bufferoverflow.md#poc
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.344905
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.344905
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.750225
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com