CVE-2026-11503
Description
Tenda CX12L firmware V16.03.53.12 has a stack buffer overflow in Wi-Fi configuration, allowing remote code execution with root privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda CX12L firmware V16.03.53.12 has a stack buffer overflow in Wi-Fi configuration, allowing remote code execution with root privileges.
Vulnerability
A stack-based buffer overflow vulnerability exists in the form_fast_setting_wifi_set function within the Wi-Fi Configuration Endpoint (/goform/fast_setting_wifi_set) of Tenda CX12L firmware version V16.03.53.12 [1]. The vulnerability arises from the use of the unsafe sprintf function to process the user-controlled ssid argument into a fixed-size stack buffer (ssid_5g of 64 bytes) without proper length validation.
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP request to the /goform/fast_setting_wifi_set endpoint with an overly long value for the ssid parameter [1]. This long input will overflow the ssid_5g buffer on the stack, overwriting critical data such as the saved frame pointer and the return address.
Impact
Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) or arbitrary code execution with root privileges on the affected Tenda CX12L router [1].
Mitigation
No patched version or specific mitigation details are disclosed in the available references. The vendor homepage is provided for further information [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The use of the unsafe sprintf function without length validation allows an overly long SSID to overwrite the stack."
Attack vector
An attacker can remotely trigger this vulnerability by sending a crafted HTTP request to the `/goform/fast_setting_wifi_set` endpoint. The request must include an overly long value for the `ssid` parameter. This crafted input will be processed by the `form_fast_setting_wifi_set` function, leading to a stack-based buffer overflow. The vulnerability can be exploited by an unauthenticated attacker due to the lack of authentication checks on this endpoint [ref_id=1].
Affected code
The vulnerability resides in the `form_fast_setting_wifi_set` function within the `/goform/fast_setting_wifi_set` endpoint. Specifically, the `sprintf(ssid_5g, "%s_5G", p_par);` line is responsible for the overflow, where `p_par` is a user-controlled input obtained via `websGetVar` and `ssid_5g` is a fixed-size stack buffer [ref_id=1].
What the fix does
The advisory recommends replacing the unsafe `sprintf` function with `snprintf` to ensure that the output never exceeds the destination buffer size. Additionally, input validation should be enforced at the function's entry point to limit the maximum length of the `ssid` parameter. This prevents the buffer overflow by ensuring that the `ssid_5g` buffer is not overwritten [ref_id=1].
Preconditions
- authNo authentication is required to access the vulnerable endpoint.
- networkThe attacker must have network access to the affected device.
Reproduction
The following Python script demonstrates how to trigger the overflow by sending a crafted SSID. ```python import requests
url = "http://192.168.15.142/goform/fast_setting_wifi_set"
payload = { 'ssid': b'1500'*10000, }
print(f"[*] 正在向 {url} 发送请求...") res = requests.get(url=url, params=payload) res = requests.get(url=url, params=payload) res = requests.post(url=url, data=payload) res = requests.post(url=url, data=payload)
print(f"[+] 请求完成,状态码: {res.status_code}") ``` [ref_id=1]
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: Four Vulnerabilities Including Critical Buffer Overflow DisclosedVypr Intelligence · Jun 8, 2026