CVE-2026-5036
Stack-Based Buffer Overflow in Tenda 4G06 Endpoint Component
Publication date: 2026-03-29
Last updated on: 2026-03-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | 4g06_firmware | 04.06.01.29 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Tenda Router 4G06 firmware version V04.06.01.29, specifically in the function fromDhcpListClient within the /goform/DhcpListClient endpoint. It is caused by improper handling of the user-controlled 'page' parameter, which is processed using the unsafe sprintf function without proper length checks.
Because the data is written into a fixed-size buffer of 256 bytes without verifying the input size, an attacker can send input larger than 256 bytes to overflow the buffer. This stack-based buffer overflow can lead to application crashes, memory corruption, or arbitrary code execution.
The vulnerability can be exploited remotely without authentication by sending a specially crafted POST request with an oversized 'page' parameter, allowing attackers to potentially take full control of the device.
How can this vulnerability impact me? :
Exploitation of this vulnerability can have severe impacts including:
- Denial of Service (DoS) by crashing the router's web server process.
- Execution of arbitrary code by overwriting the stack return address, potentially allowing attackers to run malicious code on the device.
- Leakage of sensitive information from the device's memory.
- Full device takeover, enabling attackers to monitor network traffic or use the router as a pivot point for further attacks within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a specially crafted POST request to the vulnerable endpoint `/goform/DhcpListClient` with an oversized `page` parameter. A proof-of-concept exploit involves sending a POST request containing a `page` parameter with more than 256 bytes, for example 2048 bytes of 'a', which triggers the buffer overflow.
You can use command-line tools like curl to test for this vulnerability by sending an oversized payload to the endpoint.
- curl -X POST http://[router-ip]/goform/DhcpListClient -d "page=$(python3 -c 'print("a"*2048)')"
If the device crashes, becomes unresponsive, or exhibits abnormal behavior after this request, it is likely vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint and limiting exposure of the device to untrusted networks.
Applying firmware updates or patches from the vendor that fix the vulnerability is the most effective mitigation.
- Replace unsafe functions like sprintf with safer alternatives such as snprintf that enforce buffer size limits.
- Implement strict bounds checking on the `page` parameter to ensure it does not exceed 256 bytes.
- Validate and sanitize all input to reject malformed or oversized data.
- Apply the principle of least privilege to limit service permissions and restrict access to sensitive memory and configuration areas.
Until a patch is applied, consider isolating the device from untrusted networks and monitoring for suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote attackers to execute arbitrary code, cause denial of service, or leak sensitive information by exploiting a stack-based buffer overflow in the Tenda 4G06 router. Such unauthorized access and potential data leakage can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
Successful exploitation could enable full device takeover and network traffic monitoring, increasing the risk of exposure of personal or protected health information, thereby impacting compliance with confidentiality, integrity, and availability requirements mandated by these standards.
Therefore, organizations using affected devices may face compliance challenges unless the vulnerability is remediated promptly to prevent unauthorized access and data breaches.