CVE-2026-5550
Received Received - Intake
Stack-Based Buffer Overflow in Tenda AC10 /bin/httpd Remote Attack

Publication date: 2026-04-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in Tenda AC10 16.03.10.10_multi_TDE01. This affects the function fromSysToolChangePwd of the file /bin/httpd. The manipulation leads to stack-based buffer overflow. The attack may be initiated remotely. Multiple endpoints might be affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5550
EUVD
EUVD-2026-19048
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda ac10_firmware 16.03.10.10_multi_tde01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow a remote attacker to execute arbitrary code or cause a denial of service by exploiting the stack-based buffer overflow in the router's httpd service. Because the overflow occurs in a function that handles password changes and other configuration requests, an attacker could potentially gain unauthorized control over the device, disrupt network services, or compromise the confidentiality, integrity, and availability of the router.

Executive Summary

CVE-2026-5550 is a high-severity stack-based buffer overflow vulnerability found in the Tenda AC10 V4 router firmware, specifically in the httpd binary's fromSysToolChangePwd function. The issue arises because the GetValue() function reads configuration values from NVRAM or flash storage and copies them into small fixed-size stack buffers without validating the length of the data. This lack of bounds checking allows an attacker to overflow these buffers if oversized data is stored and read back, potentially leading to remote exploitation.

The vulnerability is systemic, affecting many handlers that use small buffers (16 to 64 bytes) and rely on GetValue() without length validation. The device also lacks common protections like stack canaries and address space layout randomization (ASLR), making exploitation more reliable.

Detection Guidance

The vulnerability involves a stack-based buffer overflow in the httpd binary of the Tenda AC10 router firmware, specifically in the fromSysToolChangePwd handler and other similar handlers that use small fixed-size stack buffers. Detection would involve checking for unusually large or malformed NVRAM key values that are read into these buffers without length validation.

Since the issue arises from the GetValue() function copying NVRAM values into small buffers without bounds checking, detection could focus on monitoring or auditing NVRAM values for oversized entries or unexpected changes.

No explicit detection commands are provided in the available resources. However, network administrators might consider commands or scripts that query NVRAM values on the device to identify unusually large or suspicious entries, or monitor HTTP requests targeting the vulnerable handlers such as fromSysToolChangePwd.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints to prevent remote exploitation, such as limiting network access to trusted users or disabling remote management features temporarily.

Longer-term remediation involves updating the firmware to a version where the GetValue() function enforces length parameters, maximum length limits are imposed on NVRAM keys, and the httpd binary is recompiled with stack canary protections enabled (-fstack-protector-strong).

Until such updates are available, monitoring and controlling access to the device and its management interfaces is critical to reduce the risk of exploitation.

Compliance Impact

The provided information does not specify how the CVE-2026-5550 vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart