CVE-2026-51602
Received Received - Intake

Stack-Based Buffer Overflow in Tenda CP3 Router

Vulnerability report for CVE-2026-51602, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted SETUP request. The RTSP service's second-stage URL routing parser fails to validate the length of the URL field in the first SETUP request. By supplying a URL consisting of exactly four consecutive repetitions of a valid RTSP URL, an attacker can bypass first-stage format validation and trigger a stack buffer overflow, causing an immediate crash of the RTSP service process and rendering the device inaccessible to all clients on the local network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda cp3 31.1.9.91

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability causes a denial of service by crashing the RTSP service on the Tenda CP3 V3.0 device, rendering it inaccessible to clients on the local network. While it does not directly compromise confidentiality or integrity of data, the resulting service disruption could impact availability, which is a key aspect of compliance with standards like GDPR and HIPAA.

Specifically, the denial of service could interfere with the continuous operation of security or monitoring systems relying on the device, potentially leading to non-compliance with regulations that require maintaining availability and reliability of security controls.

However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data access or disclosure, which are primary concerns under GDPR and HIPAA.

Executive Summary

CVE-2026-51602 is a stack-based buffer overflow vulnerability found in the RTSP service of the Tenda CP3 V3.0 IP camera, specifically in firmware version V31.1.9.91.

The flaw occurs in the second-stage URL parsing logic of the SETUP request handler, which does not properly validate the length of the URL field.

An attacker can send a specially crafted SETUP request containing a URL made up of four consecutive repetitions of a valid RTSP URL. This bypasses the initial format validation and triggers a stack buffer overflow.

As a result, the RTSP service process crashes immediately, causing TCP port 554 to become unresponsive and denying service to all clients on the local network.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause a denial of service on the affected device by crashing the RTSP service.

When exploited, the RTSP service process crashes, making the device inaccessible to all clients on the local network, including official apps and third-party media players.

Additionally, because the overflow is stack-based, there is a potential risk that an attacker could escalate the impact to remote code execution, although the proof-of-concept currently demonstrates denial of service.

Detection Guidance

This vulnerability can be detected by monitoring the RTSP service on TCP port 554 for unresponsiveness or crashes following malformed SETUP requests.

An attacker exploits the vulnerability by sending a crafted SETUP request with a URL field consisting of four consecutive repetitions of a valid RTSP URL, which bypasses initial format validation and triggers a stack buffer overflow.

To detect exploitation attempts, you can use network traffic capture tools like tcpdump or Wireshark to monitor RTSP traffic on port 554 and look for SETUP requests with unusually long or repeated URL fields.

  • Use tcpdump to capture RTSP traffic: tcpdump -i <interface> tcp port 554 -w rtsp_traffic.pcap
  • Analyze captured traffic with Wireshark to inspect SETUP requests for repeated URL patterns.
  • Check the availability of the RTSP service by attempting to connect to port 554; repeated crashes or unresponsiveness may indicate exploitation.
Mitigation Strategies

Immediate mitigation steps include restricting access to the RTSP service on TCP port 554 to trusted networks or hosts only, to prevent unauthenticated remote attackers from sending malicious SETUP requests.

If possible, disable the RTSP service temporarily until a firmware update or patch addressing this vulnerability is available.

Monitor the device for crashes or unresponsiveness of the RTSP service and consider network-level protections such as firewall rules to block suspicious RTSP traffic.

Contact the vendor or check for firmware updates that fix the input validation flaw in the RTSP service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart