CVE-2026-6988
Received Received - Intake
Remote Buffer Overflow in Tenda Boa Service's formRoute Function

Publication date: 2026-04-25

Last updated on: 2026-04-30

Assigner: VulDB

Description
A flaw has been found in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. This issue affects the function formRoute of the file /boaform/formRouting of the component Boa Service. This manipulation of the argument nextHop causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-25
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda hg10_firmware 300001138
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6988 is a stack-based buffer overflow vulnerability found in the TENDA HG10 AC1200 Dual-Band Wi-Fi xPON ONT device. It exists in the web management interface, specifically in the formRoute handler accessed via the POST endpoint `/boaform/formRouting`.

The vulnerability arises because the `nextHop` parameter from an HTTP POST request is copied into a fixed-size 20-byte stack buffer without any length validation. This unchecked copy operation allows an attacker to supply an overly long string, causing a buffer overflow.

The Boa web server component that processes this request runs with root privileges and does not require authentication, making it possible for a remote attacker to exploit this flaw by sending a specially crafted POST request.

Impact Analysis

Exploitation of this vulnerability can lead to a denial of service (DoS) by crashing the Boa management service, rendering the web management interface inaccessible.

Because the Boa process runs with root privileges, there is also potential for remote code execution (RCE), allowing an attacker to execute arbitrary code on the device with high privileges.

No authentication or user interaction is required to exploit this vulnerability, increasing the risk of remote attacks.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/boaform/formRouting` on the Tenda HG10 device's web management interface.

Specifically, detection involves identifying HTTP POST requests containing the `nextHop` parameter with an unusually long value exceeding 20 bytes, which triggers the buffer overflow.

You can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to filter and inspect such requests.

  • Example tcpdump command to capture relevant POST requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boaform/formRouting'
  • Use curl or similar tools to test the endpoint by sending a POST request with a long `nextHop` parameter to see if the device crashes or behaves abnormally.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable web management interface to trusted networks only, such as by firewall rules or network segmentation.

Disabling remote management or the Boa web service if possible will prevent exploitation via the exposed endpoint.

Monitor the device for crashes or abnormal behavior indicating exploitation attempts.

Apply any available firmware updates or patches from the vendor that address this vulnerability.

If no patch is available, consider replacing the device or using alternative hardware until a fix is provided.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6988. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart