Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5548 is a critical stack-based buffer overflow vulnerability found in the Tenda AC10 router firmware, specifically in the fromSysToolChangePwd function within the /bin/httpd binary.

The vulnerability occurs because the function copies the password value stored in "sys.userpass" from NVRAM into a fixed 36-byte stack buffer without checking if the password length exceeds this size.

If the password is longer than 36 bytes, it overflows the buffer and can overwrite the saved return address on the stack, allowing an attacker to execute arbitrary code.

This overflow can be triggered remotely and may require some authentication depending on the context.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to remotely execute arbitrary code on the affected Tenda AC10 router.

Exploitation could lead to full compromise of the device, enabling the attacker to control the router, intercept or manipulate network traffic, disrupt network services, or use the device as a foothold for further attacks.

The attack complexity is low, and it can be initiated over the network, making it a significant security risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a stack-based buffer overflow triggered by an oversized password value stored in the sys.userpass parameter in the Tenda AC10 router firmware. Detection involves checking the length of the sys.userpass value stored in the device's NVRAM.

You can attempt to detect the vulnerability by querying the sys.userpass value and verifying if it exceeds the safe length of 36 bytes. Since the overflow occurs when the password length is greater than 36 bytes, any sys.userpass longer than this threshold indicates potential exposure.

• Use a command or script to read the sys.userpass value from the device's NVRAM or configuration storage.
• Example command (if you have shell access): `nvram get sys.userpass`
• Check the length of the returned password string; if it is longer than 36 characters, the device is vulnerable.

Additionally, network monitoring for unusual or malformed packets targeting the /bin/httpd service or attempts to exploit the fromSysToolChangePwd function could help detect exploitation attempts, but specific network commands or signatures are not provided.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps focus on preventing the stack-based buffer overflow by ensuring the sys.userpass value does not exceed the buffer size and by applying patches or configuration changes.

• Apply firmware updates or patches from the vendor that add explicit maximum length checks before copying the sys.userpass value.
• Increase the buffer size in the fromSysToolChangePwd function to safely accommodate the maximum possible length of sys.userpass.
• Enforce length limits on the sys.userpass value at the time it is stored or modified in NVRAM to prevent oversized passwords.
• Implement a global maximum password length restriction across all write paths to sys.userpass.

Until patches are applied, restrict network access to the vulnerable service and monitor for suspicious activity to reduce the risk of exploitation.

Useful 0 Not Useful 0