CVE-2026-51604
Received Received - Intake

Stack-Based Buffer Overflow in Tenda CP3 Router

Vulnerability report for CVE-2026-51604, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted PLAY request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda cp3 31.1.9.91

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting network access to the RTSP service on TCP port 554 to trusted hosts only, such as limiting access to the local network segment.

Additionally, monitoring the RTSP service for crashes and restarting it if it becomes unresponsive can help maintain availability.

Since the vulnerability requires no authentication and only local network access, isolating the device from untrusted networks or disabling the RTSP service if not needed are also recommended.

Executive Summary

CVE-2026-51604 is a stack-based buffer overflow vulnerability found in the RTSP service of the Tenda CP3 IP camera running firmware version V31.1.9.91.

The flaw occurs in the second-stage URL parsing logic of the RTSP PLAY request handler, which does not properly validate the length of the URL field.

An unauthenticated attacker on the local network can send a specially crafted PLAY request containing a URL field with five consecutive repetitions of a valid RTSP URL. This bypasses the initial format check and triggers a buffer overflow.

As a result, the RTSP service process crashes immediately, making TCP port 554 unresponsive and denying access to all clients, including the official Tenda app and third-party players like VLC.

Exploitation requires completing a legitimate RTSP handshake before sending the malformed PLAY request.

While the demonstrated impact is denial of service, the stack-based nature of the overflow also presents a potential risk for remote code execution.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker on your local network to cause a denial of service on your Tenda CP3 IP camera's RTSP service.

The attacker can crash the RTSP service, making the device's TCP port 554 unresponsive and preventing access to the camera's video stream from all clients, including official and third-party applications.

This disruption can result in loss of video monitoring capability, which may affect security and surveillance operations.

Additionally, there is a potential risk that the vulnerability could be exploited for remote code execution, which could lead to further compromise of the device.

Detection Guidance

This vulnerability can be detected by monitoring the RTSP service on TCP port 554 for crashes or unresponsiveness after receiving malformed PLAY requests.

Detection involves sending a crafted RTSP PLAY request with a URL field consisting of five consecutive repetitions of a valid RTSP URL after completing a legitimate RTSP handshake (OPTIONS, DESCRIBE, and two SETUP requests). If the RTSP service crashes or the port becomes unresponsive, the device is vulnerable.

Commands to test this could involve using tools like netcat or custom scripts to perform the RTSP handshake and send the malformed PLAY request to the device's port 554.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51604. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart