CVE-2026-5992
Received Received - Intake
Stack-Based Buffer Overflow in Tenda F451 /goform/P2pListFilter

Publication date: 2026-04-10

Last updated on: 2026-04-30

Assigner: VulDB

Description
A vulnerability was determined in Tenda F451 1.0.0.7. This affects the function fromP2pListFilter of the file /goform/P2pListFilter. This manipulation of the argument page causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5992
EUVD
EUVD-2026-21246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda f451_firmware 1.0.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5992 is a stack-based buffer overflow vulnerability found in the Tenda F451 device firmware version 1.0.0.7. It occurs in the fromP2pListFilter function of the /goform/P2pListFilter endpoint. The vulnerability arises because the 'page' parameter is passed directly to the sprintf function without any length validation, allowing an attacker to overflow the buffer on the stack.

This improper handling of the 'page' argument enables remote exploitation by sending a specially crafted POST request with an excessively long 'page' parameter, which can cause the device to crash or allow execution of arbitrary code.

Impact Analysis

Exploitation of this vulnerability can lead to denial of service (DoS), causing the affected device to crash or become unresponsive.

More critically, it can allow remote code execution (RCE), meaning an attacker could run arbitrary code on the device remotely, potentially taking full control over it.

Detection Guidance

This vulnerability can be detected by sending a specially crafted POST request to the endpoint "/goform/P2pListFilter" with the "page" parameter containing a large payload (e.g., 2048 'a' characters) to test for a stack-based buffer overflow.

A detection command example using curl would be:

  • curl -X POST http://<target-ip>/goform/P2pListFilter -d "page=$(python3 -c 'print("a"*2048)')"

If the device crashes, becomes unresponsive, or behaves abnormally after this request, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint "/goform/P2pListFilter" by implementing network-level controls such as firewall rules to block unauthorized or external access.

Additionally, monitor the device for unusual behavior or crashes that may indicate exploitation attempts.

If possible, update the firmware to a version that addresses this vulnerability or contact the vendor for a patch.

Compliance Impact

The provided information does not specify how the CVE-2026-5992 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart