CVE-2026-11528
Description
A stack-based buffer overflow in Tenda AC18's Web Management Interface allows remote attackers to execute arbitrary code or cause a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in Tenda AC18's Web Management Interface allows remote attackers to execute arbitrary code or cause a denial of service.
Vulnerability
A stack-based buffer overflow vulnerability exists in the Web Management Interface of Tenda AC18 routers with firmware version V15.03.05.05. The vulnerability is located in the sub_45304 function within the /goform/getRebootStatus endpoint. An attacker can trigger this by sending an overly long string as the callback parameter, which is processed without proper length checks and directly concatenated into a fixed-size buffer using sprintf [1].
Exploitation
An attacker can exploit this vulnerability remotely by sending a crafted HTTP POST request to the /goform/getRebootStatus endpoint. The request must contain a callback parameter with a string significantly longer than the allocated 64-byte buffer. This overflow can overwrite the return address on the stack, allowing for control of the program's execution flow [1].
Impact
Successful exploitation of this vulnerability can lead to a crash of the web service, resulting in a Denial of Service (DoS). In more severe cases, it may allow an attacker to achieve Remote Code Execution (RCE) by hijacking the function's return address [1].
Mitigation
No patched version or specific mitigation details are available in the provided references. The vendor's website is for general product information and support [2].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The function sub_45304 in the Web Management Interface does not validate the length of the callback argument, leading to a stack-based buffer overflow."
Attack vector
An attacker can remotely exploit this vulnerability by sending a POST request to the /goform/getRebootStatus endpoint with a crafted, overly long string in the callback parameter [ref_id=1]. This input is directly concatenated into a fixed-size stack buffer using the unsafe sprintf function without any length checks [ref_id=1]. The overflow can overwrite critical control data on the stack, potentially leading to denial of service or remote code execution [ref_id=1].
Affected code
The vulnerability resides in the sub_45304 function, which is associated with the /goform/getRebootStatus endpoint within the Web Management Interface component [ref_id=1]. Specifically, the use of the sprintf function to concatenate the user-controlled callback parameter into a fixed-size buffer is the cause of the overflow [ref_id=1].
What the fix does
The advisory does not specify any patches or provide remediation guidance. Therefore, no fix explanation can be provided.
Preconditions
- authThe attacker requires low privileges to exploit this vulnerability.
- networkThe attack can be launched remotely.
Reproduction
import requests
host = "192.168.0.1:80"
def exploit_sub_45304(): url = f"http://{host}/goform/getRebootStatus" cyclic = b'A'* 0x1000 data = { b"callback": cyclic } res = requests.post(url=url,data=data) print(res.content)
exploit_sub_45304()
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026