CVE-2026-2191 is a stack-based buffer overflow vulnerability identified in the Tenda AC9 router firmware version 15.03.06.42_multi. The vulnerability resides in the formGetDdosDefenceList function, which processes the security.ddos.map argument. Improper handling of this input allows an attacker to overflow the stack buffer, potentially overwriting critical control data such as return addresses. This can lead to arbitrary code execution with elevated privileges on the device. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly dangerous. The CVSS 4.0 score of 8.6 reflects the ease of exploitation (network attack vector, low attack complexity) and the severe impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, the availability of a public exploit increases the likelihood of future attacks. The affected product, Tenda AC9, is a widely used consumer-grade wireless router, often deployed in home and small office environments, which may lack robust security monitoring. The flaw could be leveraged to disrupt network operations, intercept or manipulate traffic, or establish persistent footholds within targeted networks. Since no official patches or mitigation instructions are currently listed, organizations must adopt interim protective measures while awaiting vendor updates.

The impact of CVE-2026-2191 is significant for organizations and individuals using the Tenda AC9 router. Successful exploitation can lead to full compromise of the device, allowing attackers to execute arbitrary code with high privileges. This can result in unauthorized access to internal networks, interception or modification of sensitive data, disruption of network availability through denial-of-service conditions, and potential pivoting to other networked systems. Given the router's role as a gateway device, compromise can undermine the security posture of entire networks, including home offices and small businesses. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the risk of widespread exploitation. The public availability of an exploit further elevates the threat, potentially enabling automated attacks or inclusion in botnets. Organizations relying on Tenda AC9 devices should consider the vulnerability a critical risk to network security and data confidentiality.

1. Immediate mitigation should include isolating Tenda AC9 devices from critical network segments to limit potential lateral movement if compromised. 2. Disable or restrict access to the vulnerable function or related management interfaces if possible, such as disabling remote management features or filtering traffic targeting the affected service. 3. Implement network-level protections such as intrusion detection/prevention systems (IDS/IPS) configured to detect exploit attempts targeting this vulnerability. 4. Monitor network traffic for unusual patterns or attempts to access the security.ddos.map parameter. 5. Regularly audit and update router firmware; although no patch is currently listed, monitor Tenda’s official channels for security updates addressing this issue. 6. Consider replacing vulnerable devices with models from vendors with active security support if patching is delayed. 7. Educate users and administrators about the risks and signs of compromise related to this vulnerability. 8. Employ network segmentation and strong access controls to reduce exposure of vulnerable devices to untrusted networks. 9. Apply strict firewall rules to limit inbound traffic to management interfaces of the router.