CVE-2026-6988
Remote Buffer Overflow in Tenda Boa Service's formRoute Function
Publication date: 2026-04-25
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | hg10_firmware | 300001138 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6988 is a stack-based buffer overflow vulnerability found in the TENDA HG10 AC1200 Dual-Band Wi-Fi xPON ONT device. It exists in the web management interface, specifically in the formRoute handler accessed via the POST endpoint `/boaform/formRouting`.
The vulnerability arises because the `nextHop` parameter from an HTTP POST request is copied into a fixed-size 20-byte stack buffer without any length validation. This unchecked copy operation allows an attacker to supply an overly long string, causing a buffer overflow.
The Boa web server component that processes this request runs with root privileges and does not require authentication, making it possible for a remote attacker to exploit this flaw by sending a specially crafted POST request.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a denial of service (DoS) by crashing the Boa management service, rendering the web management interface inaccessible.
Because the Boa process runs with root privileges, there is also potential for remote code execution (RCE), allowing an attacker to execute arbitrary code on the device with high privileges.
No authentication or user interaction is required to exploit this vulnerability, increasing the risk of remote attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/boaform/formRouting` on the Tenda HG10 device's web management interface.
Specifically, detection involves identifying HTTP POST requests containing the `nextHop` parameter with an unusually long value exceeding 20 bytes, which triggers the buffer overflow.
You can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to filter and inspect such requests.
- Example tcpdump command to capture relevant POST requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/boaform/formRouting'
- Use curl or similar tools to test the endpoint by sending a POST request with a long `nextHop` parameter to see if the device crashes or behaves abnormally.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable web management interface to trusted networks only, such as by firewall rules or network segmentation.
Disabling remote management or the Boa web service if possible will prevent exploitation via the exposed endpoint.
Monitor the device for crashes or abnormal behavior indicating exploitation attempts.
Apply any available firmware updates or patches from the vendor that address this vulnerability.
If no patch is available, consider replacing the device or using alternative hardware until a fix is provided.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.