CVE-2026-51600
Received Received - Intake

RTSP Request Handling DoS in Tenda CP3 V3.0 Firmware

Vulnerability report for CVE-2026-51600, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (including DESCRIBE, SETUP, and PLAY methods). When a request carrying a Content-Length header is received without a corresponding message body, the RTSP parser enters a persistent body-awaiting state, causing the affected TCP connection to become permanently non-functional. The device does not actively close the connection, resulting in a TCP resource leak. This issue can be exploited by an unauthenticated remote attacker to cause a denial-of-service condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda cp3 31.1.9.91

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-51600 is a vulnerability in the RTSP service of the Tenda CP3 V3.0 IP camera running firmware version V31.1.9.91. The device fails to properly validate the Content-Length header in RTSP requests, such as DESCRIBE and SETUP methods, which according to protocol standards should not include a message body.

When an RTSP request includes a Content-Length header but lacks the corresponding message body, the device's RTSP parser waits indefinitely for the body to arrive. This causes the TCP connection to become permanently non-functional because the device silently consumes all subsequent data as body content without closing the connection.

This behavior leads to a TCP resource leak and can be exploited by an unauthenticated remote attacker to cause a denial-of-service condition on the device.

Mitigation Strategies

To mitigate the vulnerability in Tenda CP3 V3.0 firmware V31.1.9.91, immediate steps include restricting access to the RTSP service from untrusted networks to prevent unauthenticated remote attackers from exploiting the issue.

Additionally, monitoring and limiting the number of concurrent TCP connections to the RTSP service can help reduce the impact of potential resource exhaustion.

If possible, applying firmware updates or patches from the vendor that address the Content-Length header validation issue is recommended once available.

Impact Analysis

This vulnerability can be exploited by an unauthenticated remote attacker to cause a denial-of-service (DoS) condition on the affected Tenda CP3 V3.0 device.

By sending malformed RTSP requests with a Content-Length header but no message body, the attacker can cause the device's RTSP service to hang indefinitely, making the TCP connection permanently non-functional.

As the device does not close these connections, it leads to resource exhaustion (TCP resource leak), potentially disrupting normal device operation and availability.

Detection Guidance

This vulnerability can be detected by sending malformed RTSP requests to the Tenda CP3 V3.0 device, specifically RTSP methods like DESCRIBE or SETUP that include a Content-Length header but omit the corresponding message body. Observing whether the device's TCP connection becomes non-functional or hangs indefinitely indicates the presence of the vulnerability.

A proof-of-concept involves sending a DESCRIBE request with a Content-Length header but no body and monitoring the device's response or connection state.

While specific commands are not provided, a typical approach would be to use tools like netcat (nc) or curl to craft and send such RTSP requests manually or via a script.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51600. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart