Description
A weakness has been identified in Tenda A21 1.0.0.0. This affects the function set_device_name of the file /goform/SetOnlineDevName. This manipulation of the argument devName causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-02-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via stack-based buffer overflow
Action: Patch urgently
AI Analysis

Impact

A stack-based buffer overflow exists in the set_device_name function of the Tenda A21 firmware 1.0.0.0. The flaw is triggered by manipulating the devName argument passed to the /goform/SetOnlineDevName endpoint. Exploiting this weakness can overwrite critical stack data and potentially allow an attacker to execute arbitrary code, compromising confidentiality, integrity, and availability. The vulnerability is identified as CWE‑119 and CWE‑121.

Affected Systems

The affected device is the Tenda A21 router, specifically firmware version 1.0.0.0.

Risk and Exploitability

The CVSS v3.1 score is 8.7, indicating high severity. The EPSS score is below 1%, suggesting low probability of widespread exploitation, yet publicly available reference exploits exist. The vulnerability is not listed in the CISA KEV catalogue, but remote attackers can trigger it over the network via the web interface.

Generated by OpenCVE AI on April 17, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and flash the latest official firmware release from Tenda that contains the security fix for the /goform/SetOnlineDevName flaw.
  • Limit access to the router’s administrative web interface to known management networks or a VPN, blocking exposure to the broader Internet.
  • Change the device’s default or previously set device name and adopt strong, unique credentials for remote configuration access.

Generated by OpenCVE AI on April 17, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda a21 Firmware
CPEs cpe:2.3:h:tenda:a21:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:a21_firmware:1.0.0.0:*:*:*:*:*:*:*
Vendors & Products Tenda a21 Firmware
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda a21
Vendors & Products Tenda
Tenda a21

Sat, 21 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Tenda A21 1.0.0.0. This affects the function set_device_name of the file /goform/SetOnlineDevName. This manipulation of the argument devName causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title Tenda A21 SetOnlineDevName set_device_name stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda A21 A21 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:31:15.738Z

Reserved: 2026-02-20T17:04:45.674Z

Link: CVE-2026-2886

cve-icon Vulnrichment

Updated: 2026-02-23T19:31:09.469Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T21:16:11.217

Modified: 2026-02-23T21:00:35.513

Link: CVE-2026-2886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses