CVE-2026-51605
Received Received - Intake

Stack-Based Buffer Overflow in Tenda CP3 V3.0 RTSP Service

Vulnerability report for CVE-2026-51605, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: MITRE

Description

A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.991) allows an unauthenticated remote attacker to cause a denial of service via a crafted TEARDOWN request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda cp3 31.1.9.991

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

Exploiting this vulnerability causes the RTSP service process to crash, resulting in a denial-of-service (DoS) condition.

During this DoS state, TCP port 554 stops accepting connections, making the device inaccessible to all clients, including the official Tenda app and third-party media players like VLC.

Additionally, due to the stack-based nature of the buffer overflow, there is a potential risk for remote code execution, which could allow an attacker to execute arbitrary code on the device.

Compliance Impact

The provided information does not specify how the vulnerability in the Tenda CP3 V3.0 RTSP service affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-51605 is a stack-based buffer overflow vulnerability found in the RTSP service of the Tenda CP3 V3.0 IP camera, specifically in firmware version V31.1.9.991.

The flaw occurs during the handling of the TEARDOWN request, where the second-stage URL parsing does not properly validate the length of the URL field.

An unauthenticated attacker with LAN access can send a TEARDOWN request containing a URL field made up of five consecutive repetitions of a valid RTSP URL. This bypasses initial format checks and triggers a buffer overflow.

Exploitation requires completing a legitimate RTSP handshake sequence before sending the malformed TEARDOWN request.

Detection Guidance

This vulnerability can be detected by monitoring the RTSP service on TCP port 554 for abnormal crashes or denial of service conditions. Specifically, if the RTSP service stops accepting connections unexpectedly, it may indicate exploitation attempts.

Detection involves checking for the presence of malformed TEARDOWN requests that contain a URL field with repeated valid RTSP URLs, which trigger the buffer overflow.

To detect such activity, you can use network packet capture tools like tcpdump or Wireshark to filter and analyze RTSP traffic on port 554.

  • Use tcpdump to capture RTSP traffic: tcpdump -i <interface> tcp port 554 -w rtsp_traffic.pcap
  • Analyze the captured traffic in Wireshark, filtering for RTSP TEARDOWN requests and inspecting the URL fields for repeated patterns.
  • Monitor the RTSP service process status on the device to detect crashes or restarts.
Mitigation Strategies

Immediate mitigation steps include restricting access to the RTSP service on TCP port 554 to trusted networks only, such as limiting it to LAN access and blocking external access via firewall rules.

Since exploitation requires completing a legitimate RTSP handshake, monitoring and filtering RTSP traffic for suspicious sequences can help prevent attacks.

If possible, update the device firmware to a version that addresses this vulnerability.

As a temporary measure, consider disabling the RTSP service if it is not required.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-51605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart