CVE-2026-10121
Description
A flaw has been found in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formSetUrlFilter of the file /goform/formSetUrlFilter. This manipulation of the argument keyword_list/keyword causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in TRENDnet TEW-432BRP 3.10B20 allows remote attackers to execute arbitrary code via a crafted keyword_list parameter.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formSetUrlFilter function of the boa binary on TRENDnet TEW-432BRP routers running firmware version 3.10B20. The function directly copies user-supplied data from the keyword_list and keyword parameters into a fixed-size stack buffer without proper bounds checking, leading to a buffer overflow. The vulnerable code path is reachable via the /goform/formSetUrlFilter endpoint [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the /goform/formSetUrlFilter endpoint with an overly long keyword_list parameter. The PoC demonstrates that sending a string of approximately 877 'a' characters triggers a crash, indicating memory corruption. By carefully controlling the overflow, an attacker can overwrite the return address and achieve arbitrary code execution [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the affected device with root privileges, leading to full compromise of the router. This could result in denial of service, information disclosure, or further network attacks [1].
Mitigation
The vendor has stated that the TRENDnet TEW-432BRP model has been end-of-life since 2009 and no patches or updates will be provided. Users are strongly advised to replace the device with a supported alternative to mitigate the risk. No workaround exists [1].
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 3.10B20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input length validation in formSetUrlFilter allows a stack-based buffer overflow via the keyword_list and keyword parameters."
Attack vector
An authenticated attacker sends a crafted POST request to `/goform/formSetUrlFilter` with an overly long `keyword_list` or `keyword` parameter. The input is copied to a stack buffer without bounds checking, overwriting the return address and enabling arbitrary code execution. The attack is remotely exploitable over the network [ref_id=1].
Affected code
The vulnerability resides in the `formSetUrlFilter` function inside the boa binary at `/goform/formSetUrlFilter`. The arguments `keyword_list` and `keyword` are copied directly to a stack buffer without length checking, causing a stack-based buffer overflow.
What the fix does
No patch is available. The vendor states the product has been end-of-life since 2009 and will not be fixed. The advisory recommends checking string content during input extraction to prevent the overflow, but no code change has been published [ref_id=1].
Preconditions
- networkAttacker must have network access to the router's web interface.
- authAttacker must provide valid HTTP Basic authentication credentials (e.g., admin:admin).
- configThe vulnerable product (TEW-432BRP firmware 3.10B20) must be in use.
Reproduction
Send a POST request to `http://<router-ip>/goform/formSetUrlFilter` with a long `keyword_list` value (e.g., 800+ 'a' characters) as shown in the PoC. The router will crash and become unresponsive [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.