CVE-2026-2870

HighPublic PoC

Published: 21 February 2026

Published

21 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Tenda A21 1.0.0.0. Affected by this issue is the function set_qosMib_list of the file /goform/formSetQosBand. The manipulation of the argument list results in stack-based buffer overflow. The attack can be executed remotely. The…

exploit has been released to the public and may be used for attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of the manipulated 'list' argument in set_qosMib_list to prevent stack-based buffer overflow exploitation.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries or ASLR to mitigate stack-based buffer overflow vulnerabilities like this one.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of identified flaws, including patching the buffer overflow in Tenda A21 firmware version 1.0.0.0.

Security SummaryAI

CVE-2026-2870 is a stack-based buffer overflow vulnerability affecting the Tenda A21 router on firmware version 1.0.0.0. The issue resides in the set_qosMib_list function within the /goform/formSetQosBand file, where manipulation of the argument list triggers the overflow.

Attackers with low privileges (PR:L) can exploit this remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8. Successful exploitation may enable remote code execution, with a public exploit already released.

Advisories on VulDB (ctiid.347107, id.347107, submit.754627) document the vulnerability, and a GitHub issue at QIU-DIE/cve-nneeww/issues/1 provides exploit details. Practitioners should consult the Tenda website (tenda.com.cn) for any firmware patches or mitigation guidance, as no specific updates are detailed in the available references.

The public availability of the exploit elevates the risk of real-world attacks against unpatched Tenda A21 devices.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

a21 firmware

1.0.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the web interface (/goform/formSetQosBand) of a public-facing Tenda A21 router enables remote code execution with low privileges and complexity, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/QIU-DIE/cve-nneeww/issues/1
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347107
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347107
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.754627
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com