Tenda Routers: Four Vulnerabilities Including Critical Buffer Overflow Disclosed
Tenda's firmware is under scrutiny with the simultaneous disclosure of four vulnerabilities, including a critical stack-based buffer overflow affecting multiple router models.
Key findings
- Four Tenda router vulnerabilities disclosed on June 8, 2026, within a 3-hour window.
- Critical vulnerability (CVE-2026-11499) allows remote stack-based buffer overflow on HG7HG9 and HG10 models.
- Two high-severity stack-based buffer overflows affect CX12L, HG7HG9, and HG10 models.
- Medium-severity flaw (CVE-2026-11493) in Tenda AC15 leads to weak password requirements via Samba.
- Remote exploitation is possible for critical and high-severity buffer overflow vulnerabilities.
On June 8, 2026, a batch of four vulnerabilities affecting various Tenda router models was disclosed, highlighting potential security weaknesses in the manufacturer's devices. The disclosures, which occurred within a three-hour window, range in severity from medium to critical, with several involving stack-based buffer overflows that could be exploited remotely.
The most severe of these, CVE-2026-11499, carries a critical CVSSv3 score of 9.8. This vulnerability resides in the formDOMAINBLK function within the /boaform/formDOMAINBLK file of Tenda HG7HG9 and HG10 models. Exploitation involves manipulating the blkDomain argument, leading to a stack-based buffer overflow that can be performed remotely. This type of vulnerability is particularly concerning as it can allow attackers to execute arbitrary code on the affected device.
Two high-severity vulnerabilities, CVE-2026-11503 and CVE-2026-11498, also stem from stack-based buffer overflows. CVE-2026-11503 affects Tenda CX12L 16.03.53.12, specifically in the form_fast_setting_wifi_set function within /goform/fast_setting_wifi_set. Manipulation of the ssid argument is the trigger for the overflow. Similarly, CVE-2026-11498 impacts Tenda HG7HG9 and HG10 models, affecting the asp_voip_OtherSet function in /boaform/voip_other_set. Here, manipulating the funckey_transfer argument leads to the buffer overflow.
A medium-severity vulnerability, CVE-2026-11493, was identified in the Tenda AC15 15.03.05.19. This weakness is related to weak password requirements within the Samba component, specifically in the /etc_ro/smb.conf file. While this vulnerability requires local network access to exploit, it could still allow unauthorized users to gain access to network resources by bypassing authentication mechanisms.
Details regarding specific patches or firmware updates addressing these vulnerabilities were not immediately available at the time of disclosure. However, given the nature of stack-based buffer overflows and weak password configurations, users are strongly advised to monitor Tenda's official support channels for any forthcoming security advisories or firmware updates. The simultaneous disclosure suggests a coordinated effort to bring these issues to light, emphasizing the importance of prompt patching.
This cluster of vulnerabilities underscores the ongoing need for vigilance in securing network edge devices. Users of Tenda routers, particularly the affected models, should prioritize applying any available security updates to mitigate the risk of exploitation. The remote exploitability of the critical and high-severity flaws makes them a prime target for automated attacks.