CVE-2026-5548
Remote Stack-Based Buffer Overflow in Tenda AC10 HTTPD
Publication date: 2026-04-05
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac10_firmware | 16.03.10.10_multi_tde01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5548 is a critical stack-based buffer overflow vulnerability found in the Tenda AC10 router firmware, specifically in the fromSysToolChangePwd function within the /bin/httpd binary.
The vulnerability occurs because the function copies the password value stored in "sys.userpass" from NVRAM into a fixed 36-byte stack buffer without checking if the password length exceeds this size.
If the password is longer than 36 bytes, it overflows the buffer and can overwrite the saved return address on the stack, allowing an attacker to execute arbitrary code.
This overflow can be triggered remotely and may require some authentication depending on the context.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to remotely execute arbitrary code on the affected Tenda AC10 router.
Exploitation could lead to full compromise of the device, enabling the attacker to control the router, intercept or manipulate network traffic, disrupt network services, or use the device as a foothold for further attacks.
The attack complexity is low, and it can be initiated over the network, making it a significant security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a stack-based buffer overflow triggered by an oversized password value stored in the sys.userpass parameter in the Tenda AC10 router firmware. Detection involves checking the length of the sys.userpass value stored in the device's NVRAM.
You can attempt to detect the vulnerability by querying the sys.userpass value and verifying if it exceeds the safe length of 36 bytes. Since the overflow occurs when the password length is greater than 36 bytes, any sys.userpass longer than this threshold indicates potential exposure.
- Use a command or script to read the sys.userpass value from the device's NVRAM or configuration storage.
- Example command (if you have shell access): `nvram get sys.userpass`
- Check the length of the returned password string; if it is longer than 36 characters, the device is vulnerable.
Additionally, network monitoring for unusual or malformed packets targeting the /bin/httpd service or attempts to exploit the fromSysToolChangePwd function could help detect exploitation attempts, but specific network commands or signatures are not provided.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on preventing the stack-based buffer overflow by ensuring the sys.userpass value does not exceed the buffer size and by applying patches or configuration changes.
- Apply firmware updates or patches from the vendor that add explicit maximum length checks before copying the sys.userpass value.
- Increase the buffer size in the fromSysToolChangePwd function to safely accommodate the maximum possible length of sys.userpass.
- Enforce length limits on the sys.userpass value at the time it is stored or modified in NVRAM to prevent oversized passwords.
- Implement a global maximum password length restriction across all write paths to sys.userpass.
Until patches are applied, restrict network access to the vulnerable service and monitor for suspicious activity to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.