CVE-2026-11553
Description
A stack-based buffer overflow in Tenda HG7, HG9, and HG10 routers allows remote attackers to crash the web service or potentially achieve RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack-based buffer overflow in Tenda HG7, HG9, and HG10 routers allows remote attackers to crash the web service or potentially achieve RCE.
Vulnerability
A stack-based buffer overflow vulnerability exists in the formPPPEdit function of the /boaform/formPPPEdit endpoint on Tenda HG7, HG9, and HG10 routers, specifically affecting firmware version HG7_HG9_HG10re_300001138_en_xpon. The vulnerability arises from the handling of the encodename parameter, which is decoded into a stack buffer without proper length validation [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability remotely by sending a crafted POST request to /boaform/formPPPEdit. The attack involves manipulating the encodename parameter with an overly long value. The vulnerable code path requires the save parameter to be non-empty and the item parameter to be set to 0 [1].
Impact
Successful exploitation can lead to a Denial of Service (DoS) by crashing the Boa web service. Additionally, due to stack corruption, there is a potential for arbitrary code execution (RCE). Since the Boa process runs with elevated privileges, a successful exploit could grant the attacker root-level access to the device [1].
Mitigation
No specific patch or fixed firmware version has been disclosed in the available references. Users are advised to consult Tenda's official website for potential firmware updates or advisories [3].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `formPPPEdit` function in the Boa web management interface does not validate the length of the `encodename` parameter before decoding it, leading to a stack-based buffer overflow."
Attack vector
An attacker can remotely send a crafted POST request to `/boaform/formPPPEdit` with an excessively long `encodename` parameter. This manipulation is performed without requiring authentication or user interaction. The overly long parameter is then decoded into a stack buffer without length enforcement, triggering the overflow [ref_id=1].
Affected code
The vulnerability resides in the `formPPPEdit` function, accessible via the `/boaform/formPPPEdit` endpoint. Specifically, the code retrieves the `encodename` parameter and passes it to `data_base64decode` without validating its size, which writes to a stack buffer named `v31` [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on a fix. Remediation guidance suggests that users should update their firmware, but no specific version is recommended as secure. Therefore, the patch does not show how the vulnerability is addressed.
Preconditions
- inputThe `encodename` parameter must be provided.
- inputThe `save` parameter must be non-empty.
- inputThe `item` parameter must be set to 0.
- networkThe attacker must be able to send HTTP requests to the device.
- authNo authentication is required to exploit this vulnerability.
Reproduction
Connect to the TENDA HG10 web management interface. Send a crafted POST request to /boaform/formPPPEdit with an excessively long encodename value to overflow the stack buffer v31. Observe that the Boa service crashes and the administrative web interface becomes unreachable [ref_id=1].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026