CVE-2026-2187 is a stack-based buffer overflow vulnerability identified in the Tenda RX3 router firmware version 16.03.13.11. The flaw exists in the set_qosMib_list function, which is part of the /goform/formSetQosBand web endpoint responsible for configuring QoS parameters. The vulnerability is triggered by manipulating the argument list passed to this function, causing a buffer overflow on the stack. This overflow can corrupt the execution stack, enabling remote attackers to execute arbitrary code or crash the device, leading to denial of service. The attack vector is network-based, requiring no authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The CVSS 4.0 base score is 8.7, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no active exploitation in the wild has been reported, a public exploit is available, increasing the likelihood of future attacks. The vulnerability affects only firmware version 16.03.13.11, so other versions may not be vulnerable. The lack of official patches at the time of publication necessitates interim mitigations. The vulnerability's presence in a widely deployed consumer and small business router model raises concerns about potential compromise of home and enterprise networks, especially where these devices serve as gateways or are exposed to untrusted networks.

For European organizations, exploitation of CVE-2026-2187 could lead to full compromise of affected Tenda RX3 routers, resulting in unauthorized access to internal networks, interception or manipulation of network traffic, and disruption of network availability. This can facilitate lateral movement by attackers, data exfiltration, or launching further attacks against connected systems. Small and medium enterprises, as well as home office environments relying on Tenda RX3 devices, are particularly vulnerable due to typically weaker perimeter defenses. Critical infrastructure sectors using these routers risk operational disruptions and potential safety hazards. The remote, unauthenticated nature of the exploit increases the attack surface, especially for devices with exposed management interfaces or insufficient network segmentation. The public availability of an exploit increases the urgency, as automated scanning and exploitation campaigns could target these devices. The impact extends beyond individual organizations to national cybersecurity posture, given the potential for widespread compromise of network infrastructure.

1. Immediately audit network environments to identify Tenda RX3 devices running firmware version 16.03.13.11. 2. Restrict access to router management interfaces by implementing network segmentation and firewall rules to block external access to the /goform/formSetQosBand endpoint. 3. Disable remote management features on affected devices if not strictly necessary. 4. Monitor network traffic for unusual activity indicative of exploitation attempts targeting the vulnerable endpoint. 5. Apply firmware updates from Tenda as soon as they become available; if no official patch exists, consider temporary device replacement or isolation. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability or exploit patterns. 7. Educate users and administrators about the risk and signs of compromise related to this vulnerability. 8. For critical environments, consider deploying network-level mitigations such as web application firewalls (WAF) to block malicious requests targeting the vulnerable function. 9. Maintain regular backups and incident response plans to quickly recover from potential compromises.