CVE-2026-2909

HighPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in Tenda HG9 300001138. This affects an unknown part of the file /boaform/formPing of the component Diagnostic Ping Endpoint. Performing a manipulation of the argument pingAddr results in stack-based buffer overflow. The attack is possible to…

be carried out remotely. The exploit is now public and may be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the stack-based buffer overflow vulnerability by applying vendor firmware patches or updates for the affected Tenda HG9 router.

SI-10 Information Input Validation good match

prevent

Requires validation of the pingAddr argument in the /boaform/formPing endpoint to restrict operations within safe memory bounds and prevent the buffer overflow.

SI-16 Memory Protection partial match

prevent

Provides memory safeguards such as stack canaries and address space layout randomization to mitigate exploitation of the stack-based buffer overflow.

Security SummaryAI

CVE-2026-2909 is a stack-based buffer overflow vulnerability affecting the Tenda HG9 router with firmware version 300001138. The flaw exists in an unknown part of the /boaform/formPing file within the Diagnostic Ping Endpoint component, where manipulation of the "pingAddr" argument triggers the overflow. Published on 2026-02-22, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by attackers with low privileges over the network, requiring low complexity and no user interaction. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, data compromise, or denial of service. The exploit is now public and may be used by threat actors.

Advisories and additional details are documented in references such as the GitHub issue at https://github.com/QIU-DIE/cve-nneeww/issues/11, VulDB entries at https://vuldb.com/?ctiid.347218, https://vuldb.com/?id.347218, and https://vuldb.com/?submit.755211, as well as the Tenda website at https://www.tenda.com.cn/. Practitioners should consult these sources for any recommended mitigations or patches.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

hg9 firmware

300001138

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the public-facing /boaform/formPing web endpoint on Tenda HG9 router enables remote arbitrary code execution with low privileges, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/QIU-DIE/cve-nneeww/issues/11
Exploit, Issue Tracking, Mitigation, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.347218
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.347218
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.755211
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com