| Title | Tenda A21 V1.0.0.0 Stack-based Buffer Overflow |
|---|
| Description | During a security review of the Tenda A21 router firmware (version V1.0.0.0), a critical stack-based buffer overflow vulnerability was identified in the device name configuration endpoint /goform/SetOnlineDevName.
The vulnerability exists in the set_device_name function, which is invoked by the formSetDeviceName handler. The handler retrieves the user-controlled devName parameter and passes it to set_device_name. Inside this function, the input string is directly used in an unsafe sprintf call to format a string into a fixed-size stack buffer s__1[256]. The code fails to validate the length of the input string before this operation. |
|---|
| Source | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/6 |
|---|
| User | hhsw34 (UID 91076) |
|---|
| Submission | 02/09/2026 13:04 (3 months ago) |
|---|
| Moderation | 02/20/2026 18:04 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 347180 [Tenda A21 1.0.0.0 /goform/SetOnlineDevName set_device_name devName stack-based overflow] |
|---|
| Points | 20 |
|---|