CVE-2026-2187 is a stack-based buffer overflow vulnerability identified in the Tenda RX3 router firmware version 16.03.13.11. The vulnerability resides in the set_qosMib_list function, which is part of the QoS configuration interface accessible via the /goform/formSetQosBand endpoint. This function improperly processes the argument list, allowing an attacker to craft a malicious request that overflows the stack buffer. The overflow can overwrite critical memory regions, enabling remote code execution or denial of service. The attack vector is network-based, requiring no authentication or user interaction, making it highly accessible to remote attackers. The CVSS v4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. Although no confirmed exploits are currently active in the wild, the availability of proof-of-concept code increases the likelihood of exploitation. The vulnerability affects a widely deployed consumer and small office router model, which may be used in various global markets. Due to the lack of official patches at the time of publication, users remain exposed unless mitigations are applied.

The exploitation of CVE-2026-2187 can have severe consequences for organizations and individuals using the Tenda RX3 router. Successful attacks can lead to remote code execution, allowing attackers to gain control over the device with elevated privileges. This can result in interception or manipulation of network traffic, unauthorized access to internal networks, disruption of internet connectivity, and potential pivoting to other networked systems. The compromise of these routers can undermine the confidentiality of sensitive data, integrity of communications, and availability of network services. Small businesses and home users relying on these devices for internet access and network segmentation are particularly at risk. The widespread deployment of Tenda RX3 routers in various regions increases the potential attack surface, making this vulnerability a significant threat to network security and privacy worldwide.

To mitigate CVE-2026-2187, organizations and users should immediately check for firmware updates from Tenda addressing this vulnerability and apply them as soon as they become available. In the absence of official patches, users should restrict access to the router’s management interfaces by disabling remote management features and limiting access to trusted internal networks only. Network-level protections such as firewall rules can block incoming traffic to the vulnerable endpoint (/goform/formSetQosBand). Monitoring network traffic for unusual requests targeting QoS configuration endpoints can help detect exploitation attempts. Additionally, replacing affected devices with models from vendors with a strong security track record may be considered for high-security environments. Regularly auditing and updating router firmware and configurations is essential to reduce exposure to similar vulnerabilities.