CVE-2026-5567
Remote Buffer Overflow in Tenda M3 Destination Handler
Publication date: 2026-04-05
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | m3_firmware | 1.0.0.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5567 is a buffer overflow vulnerability found in the Tenda M3 router firmware version 1.0.0.10, specifically in the function setAdvPolicyData accessed via the /goform/setAdvPolicyData web interface.
The vulnerability arises because the length of data copied by the strncpy function is calculated based on user input without proper validation. An attacker can send a specially crafted rebootTime parameter containing a colon character, which causes the program to calculate an incorrect length and copy more data than the destination buffer can hold.
This improper handling leads to a buffer overflow, which can be triggered remotely by sending a malicious HTTP POST request to the vulnerable endpoint.
How can this vulnerability impact me? :
Exploitation of this vulnerability can cause denial of service (DoS) conditions on the affected device.
- Crashing the deviceβs web management service, making the management interface inaccessible.
- Causing the device to become unresponsive or behave abnormally.
There is also potential for further exploitation under certain conditions, which could lead to additional security risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP POST requests to the endpoint /goform/setAdvPolicyData on Tenda M3 routers running firmware version 1.0.0.10.
Specifically, detection involves looking for POST requests containing the parameter rebootTime with an unusually long string followed by a colon, which is used to trigger the buffer overflow.
A practical approach is to capture and analyze network traffic to identify such malicious requests.
- Use a network packet capture tool like tcpdump or Wireshark to filter HTTP POST requests to /goform/setAdvPolicyData.
- Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/setAdvPolicyData'
- Inspect captured HTTP POST data for the rebootTime parameter containing long strings with a colon, which indicates potential exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable firmware version and restricting access to the router's web management interface.
Specifically, you should:
- Restrict network access to the /goform/setAdvPolicyData endpoint by using firewall rules or access control lists to limit who can send requests.
- Disable remote management of the router if enabled, to prevent remote exploitation.
- Monitor for and block suspicious HTTP POST requests containing the rebootTime parameter with abnormal values.
- Apply any available firmware updates or patches from the vendor as soon as they are released.
In the absence of a patch, avoid using unsafe string copy operations and ensure input validation on parameters like rebootTime if you have custom firmware or control over the device software.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.