CVE-2026-2138 PUBLISHED

A vulnerability was found in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.

• kdb3169 (VulDB User) reporter

• VDB-344773 | Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow
• VDB-344773 | CTI Indicators (IOB, IOC, IOA)
• Submit #747249 | Tenda TX9 V22.03.02.10_multi Buffer Overflow
• https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md
• https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md#poc
• https://www.tenda.com.cn/

• Buffer Overflow CWE
• Memory Corruption CWE