CVE-2026-4041
Received Received - Intake
Remote Stack-Based Buffer Overflow in Tenda i12 /goform/exeCommand

Publication date: 2026-03-12

Last updated on: 2026-04-02

Assigner: VulDB

Description
A security flaw has been discovered in Tenda i12 1.0.0.6(2204). Impacted is the function vos_strcpy of the file /goform/exeCommand. The manipulation of the argument cmdinput results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4041
EUVD
EUVD-2026-11587
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda i12_firmware 1.0.0.6(2204)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4041 is a stack-based buffer overflow vulnerability found in the Tenda i12 router running firmware version 1.0.0.6(2204).'}, {'type': 'paragraph', 'content': 'The flaw exists in the function vos_strcpy within the /goform/exeCommand file, which processes a user-supplied parameter named "cmdinput."'}, {'type': 'paragraph', 'content': 'Because the vos_strcpy function does not check the length of the input, an attacker can send a specially crafted request with an excessively long "cmdinput" parameter, causing a stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'This overflow can lead to denial of service (DoS) or potentially allow remote code execution (RCE) on the device.'}] [1, 2, 3]

Impact Analysis

This vulnerability can be exploited remotely without authentication, making it highly severe.

An attacker can cause denial of service (DoS), disrupting the availability of the device.

More critically, the attacker may execute arbitrary code remotely, compromising the confidentiality, integrity, and availability of the affected router.

Since the exploit is publicly available, the risk of attacks is increased.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP POST requests sent to the /goform/exeCommand endpoint containing an excessively long or malformed "cmdinput" parameter. Such requests may indicate attempts to exploit the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for POST requests targeting /goform/exeCommand with unusually large payloads in the cmdinput field.'}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include using tools like tcpdump or tshark to filter HTTP POST requests to the vulnerable endpoint:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/exeCommand'"}, {'type': 'list_item', 'content': 'tshark -Y \'http.request.method == "POST" and http.request.uri contains "/goform/exeCommand"\' -T fields -e http.file_data'}, {'type': 'paragraph', 'content': 'Inspect the captured payloads for abnormally long or repetitive characters in the cmdinput parameter, which may indicate exploitation attempts.'}] [3]

Mitigation Strategies

There are no known official patches or vendor fixes available for this vulnerability in the Tenda i12 firmware version 1.0.0.6(2204).

Immediate mitigation steps include:

  • Restrict or block remote access to the /goform/exeCommand endpoint on the affected device using firewall rules or network segmentation.
  • Disable remote management features on the router if possible to reduce exposure.
  • Monitor network traffic for exploitation attempts and respond accordingly.

Ultimately, it is recommended to replace the affected Tenda i12 device with a secure alternative, as the vulnerability allows remote code execution and denial of service without authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart