CVE-2026-51603
Received Received - Intake

Stack-Based Buffer Overflow in Tenda CP3 V3.0 RTSP Service

Vulnerability report for CVE-2026-51603, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted second SETUP request. After completing the OPTIONS, DESCRIBE, and a legitimate first SETUP request to obtain a valid session ID, the RTSP service's second-stage URL routing parser fails to validate the length of the URL field in the subsequent SETUP request. By supplying a URL consisting of exactly four consecutive repetitions of a valid RTSP URL, an attacker can bypass first-stage format validation and trigger a stack buffer overflow, causing an immediate crash of the RTSP service process and rendering the device inaccessible to all clients on the local network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda cp3 v31.1.9.91

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-51603 is a stack-based buffer overflow vulnerability in the RTSP service of the Tenda CP3 IP camera running firmware version V31.1.9.91.

The flaw occurs in the second-stage URL parsing logic of the RTSP service, which does not properly validate the length of the URL field in the second SETUP request.

An attacker can exploit this by first completing a legitimate RTSP handshake (OPTIONS, DESCRIBE, and first SETUP request) to obtain a valid session ID, then sending a crafted second SETUP request with a URL consisting of four consecutive repetitions of a valid RTSP URL.

This crafted request bypasses the initial format validation and triggers a stack buffer overflow during the URL routing parsing, causing the RTSP service process to crash immediately.

The vulnerability requires no authentication and only network access to the device's local network segment.

Impact Analysis

Exploitation of this vulnerability results in a denial-of-service (DoS) condition where the RTSP service on TCP port 554 crashes and stops responding.

This makes the affected device inaccessible to all clients on the local network, including official applications like the Tenda app and third-party media players such as VLC.

Additionally, because the overflow is stack-based, there is a potential risk for remote code execution (RCE), which could allow an attacker to execute arbitrary code on the device.

Detection Guidance

This vulnerability can be detected by monitoring the RTSP service on the Tenda CP3 device, specifically on TCP port 554. Detection involves observing if the RTSP service crashes or becomes unresponsive after a sequence of RTSP requests.

To detect the vulnerability, you can attempt to replicate the RTSP handshake sequence (OPTIONS, DESCRIBE, and a legitimate first SETUP request) to obtain a valid session ID, then send a crafted second SETUP request with a URL field consisting of four consecutive repetitions of a valid RTSP URL. If the RTSP service crashes or stops responding, the device is vulnerable.

A proof-of-concept (PoC) script is available to demonstrate this vulnerability, which can be used in a controlled environment to test for the issue.

While specific commands are not detailed, you can use network tools like curl or specialized RTSP clients (e.g., VLC with command-line options) to send the described RTSP requests. Monitoring the device's RTSP service availability on port 554 before and after sending the crafted requests can help detect the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting network access to the RTSP service on TCP port 554 to trusted devices only, especially limiting access to the local network segment.

Avoid exposing the Tenda CP3 device's RTSP service to untrusted networks or the internet to reduce the risk of exploitation.

Monitor the device for any crashes or unresponsiveness of the RTSP service and restart the device if necessary to restore functionality.

Check for firmware updates from Tenda that address this vulnerability and apply them as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51603. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart