CVE-2026-15480
Received Received - Intake

Stack-Based Buffer Overflow in Trendnet TEW-635BRM

Vulnerability report for CVE-2026-15480, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: VulDB

Description

A vulnerability was identified in Trendnet TEW-635BRM up to 1.00.03. This affects the function start_httpd of the file /sbin/rc of the component Web Service. Such manipulation of the argument device_name leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor explains: "We are unable to confirm if the vulnerability exists. This item has been EOL since 2011. We will make an official announcement of possible vulnerabilities, and recommend users to switch devices." This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
trendnet tew-635brm to 1.00.03 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15480 is a stack-based buffer overflow vulnerability in the TRENDnet TEW-635BRM router, specifically in the start_httpd function of the /sbin/rc binary. The issue arises because the device_name variable from NVRAM is copied into a fixed-size stack buffer without checking its length, using the unsafe strcpy() function.

Since the buffer is only 126 bytes but the saved return address is located 136 bytes below it, any device_name longer than 136 bytes will overwrite the return address, causing a crash and preventing the web service from starting.

An attacker with write access to NVRAM can exploit this by setting a maliciously crafted device_name, potentially leading to remote code execution. The exploit can be triggered manually or automatically at boot.

Mitigation involves replacing strcpy with safer functions like strncpy or strlcpy and enforcing input length validation at the NVRAM storage layer.

Impact Analysis

This vulnerability can allow an attacker with write access to the device's NVRAM to execute arbitrary code remotely by exploiting the buffer overflow in the device_name parameter.

Successful exploitation can cause the web service to crash or be prevented from starting, potentially leading to denial of service or full compromise of the device.

Since the device is no longer supported and the exploit is publicly available, users are at increased risk if they continue to use this device.

Detection Guidance

This vulnerability can be detected by checking if the device's NVRAM variable "device_name" contains a value longer than 136 bytes, which causes a stack-based buffer overflow in the /sbin/rc binary's start_httpd function.

One way to test for the vulnerability is to manually trigger the vulnerable service using the command:

  • rc service start

If the web service (mini_httpd) fails to start or crashes, it may indicate the presence of the vulnerability due to a buffer overflow caused by an oversized device_name.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of devices affected by this vulnerability, as the product is end-of-life and no official patches are available.

If continued use is necessary, ensure that the device_name NVRAM variable is not set to a value longer than 136 bytes to prevent triggering the buffer overflow.

From a development or maintenance perspective, replacing unsafe functions like strcpy with safer alternatives such as strncpy or strlcpy and enforcing input length validation at the NVRAM storage layer are recommended to prevent oversized values.

Ultimately, the vendor recommends switching to supported devices due to the lack of official fixes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15480. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart