CVE-2026-5550
Stack-Based Buffer Overflow in Tenda AC10 /bin/httpd Remote Attack
Publication date: 2026-04-05
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac10_firmware | 16.03.10.10_multi_tde01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves a stack-based buffer overflow in the httpd binary of the Tenda AC10 router firmware, specifically in the fromSysToolChangePwd handler and other similar handlers that use small fixed-size stack buffers. Detection would involve checking for unusually large or malformed NVRAM key values that are read into these buffers without length validation.
Since the issue arises from the GetValue() function copying NVRAM values into small buffers without bounds checking, detection could focus on monitoring or auditing NVRAM values for oversized entries or unexpected changes.
No explicit detection commands are provided in the available resources. However, network administrators might consider commands or scripts that query NVRAM values on the device to identify unusually large or suspicious entries, or monitor HTTP requests targeting the vulnerable handlers such as fromSysToolChangePwd.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoints to prevent remote exploitation, such as limiting network access to trusted users or disabling remote management features temporarily.
Longer-term remediation involves updating the firmware to a version where the GetValue() function enforces length parameters, maximum length limits are imposed on NVRAM keys, and the httpd binary is recompiled with stack canary protections enabled (-fstack-protector-strong).
Until such updates are available, monitoring and controlling access to the device and its management interfaces is critical to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-5550 vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary code or cause a denial of service by exploiting the stack-based buffer overflow in the router's httpd service. Because the overflow occurs in a function that handles password changes and other configuration requests, an attacker could potentially gain unauthorized control over the device, disrupt network services, or compromise the confidentiality, integrity, and availability of the router.
Can you explain this vulnerability to me?
CVE-2026-5550 is a high-severity stack-based buffer overflow vulnerability found in the Tenda AC10 V4 router firmware, specifically in the httpd binary's fromSysToolChangePwd function. The issue arises because the GetValue() function reads configuration values from NVRAM or flash storage and copies them into small fixed-size stack buffers without validating the length of the data. This lack of bounds checking allows an attacker to overflow these buffers if oversized data is stored and read back, potentially leading to remote exploitation.
The vulnerability is systemic, affecting many handlers that use small buffers (16 to 64 bytes) and rely on GetValue() without length validation. The device also lacks common protections like stack canaries and address space layout randomization (ASLR), making exploitation more reliable.