| Título | Tenda A21 V1.0.0.0 Stack-based Buffer Overflow |
|---|
| Descripción | During a security review of the Tenda A21 router firmware (version V1.0.0.0), a critical stack-based buffer overflow vulnerability was identified in the device name configuration endpoint /goform/SetOnlineDevName.
The vulnerability exists in the set_device_name function, which is invoked by the formSetDeviceName handler. The handler retrieves the user-controlled devName parameter and passes it to set_device_name. Inside this function, the input string is directly used in an unsafe sprintf call to format a string into a fixed-size stack buffer s__1[256]. The code fails to validate the length of the input string before this operation. |
|---|
| Fuente | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/6 |
|---|
| Usuario | hhsw34 (UID 91076) |
|---|
| Sumisión | 2026-02-09 13:04 (hace 3 meses) |
|---|
| Moderación | 2026-02-20 18:04 (11 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 347180 [Tenda A21 1.0.0.0 /goform/SetOnlineDevName set_device_name devName desbordamiento de búfer] |
|---|
| Puntos | 20 |
|---|