CVE-2026-2203

HIGH

Tenda Ac8 Firmware - Memory Corruption

Title source: rule

Description

A flaw has been found in Tenda AC8 16.03.33.05. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set of the component Embedded Httpd Service. This manipulation of the argument timeZone causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.

References (6)

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.344906

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.344906

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.750226

[Exploit, Third Party Advisory] https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/fastsettingwifiset-timezome.md

View Exploit ZIP pw:eip

[Exploit, Third Party Advisory] https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/AC8/fastsettingwifiset-timezome.md#poc

[Product] https://www.tenda.com.cn/

Scores

CVSS v3 8.8

EPSS 0.0011

EPSS Percentile 29.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-120 CWE-119

Status published

Products (1)

tenda/ac8_firmware 16.03.33.05

Published Feb 09, 2026

Tracked Since Feb 18, 2026