CVE-2026-5989
Remote Stack-Based Buffer Overflow in Tenda F451 RouteStatic
Publication date: 2026-04-10
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | f451_firmware | 1.0.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5989 is a stack-based buffer overflow vulnerability found in the Tenda F451 router firmware version 1.0.0.7. It occurs in the fromRouteStatic function of the /goform/RouteStatic endpoint, where a user-supplied parameter named "page" is processed without proper length validation.
Specifically, the parameter is passed directly to the sprintf function without bounds checking, which can overflow the stack buffer. An attacker can exploit this remotely by sending a specially crafted HTTP POST request with an excessively large "page" parameter, causing the overflow.
This flaw can lead to denial of service or potentially remote code execution on the affected device.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including denial of service (DoS) and remote code execution (RCE) on the affected Tenda F451 device.
- Denial of Service: An attacker can crash or destabilize the device by triggering the buffer overflow.
- Remote Code Execution: The attacker may execute arbitrary code remotely, potentially taking full control of the device.
Such impacts can compromise the availability, integrity, and confidentiality of the device and any network it is connected to.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a specially crafted HTTP POST request to the vulnerable device's "/goform/RouteStatic" endpoint with an excessively large "page" parameter.
A proof of concept involves posting 2048 bytes of the character 'a' to the endpoint to trigger the stack-based buffer overflow.
You can use the following curl command to test for the vulnerability:
- curl -X POST http://[target-ip]/goform/RouteStatic -d "page=$(python3 -c 'print("a"*2048)')"
If the device crashes, becomes unresponsive, or behaves abnormally after this request, it is likely vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in Tenda F451 1.0.0.7 related to the fromRouteStatic function, immediate steps include restricting or blocking remote access to the "/goform/RouteStatic" endpoint to prevent exploitation via specially crafted HTTP POST requests.
Additionally, monitoring network traffic for unusually large or malformed POST requests targeting this endpoint can help detect potential exploitation attempts.
Applying any available firmware updates or patches from the vendor that address this buffer overflow vulnerability is strongly recommended once they become available.