Unrated severityNVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

CVE-2026-51846

Description

In Tenda AC7 v15.03.06.44, the wanSpeed parameter of the route /goform/AdvSetMacMtuWan has a stack buffer overflow vulnerability that can lead to remote arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Tenda/AC7llm-fuzzy
Range: = v15.03.06.44

Patches

Vulnerability mechanics

Root cause

"Missing bounds check in check_param_changed: strcpy copies user-supplied wanSpeed into a stack buffer without size validation."

Attack vector

**Attack Vector:** An unauthenticated attacker sends a crafted HTTP POST request to the `/goform/AdvSetMacMtuWan` endpoint on the Tenda AC7 router (v15.03.06.44). The `wanSpeed` parameter is copied into a fixed-size stack buffer using `strcpy` without length validation. By supplying an oversized `wanSpeed` value — as shown in the PoC payload — the attacker overflows the buffer, enabling denial-of-service or remote arbitrary code execution. The vulnerability is reachable from the LAN network (typically 192.168.0.0/24) with no prior authentication required [ref_id=1].

What the fix does

**Fix Explanation:** The advisory [ref_id=1] identifies that the `check_param_changed` method uses `strcpy` to copy user-supplied `wanSpeed` data into a stack buffer without any size check. No official patch is shown in the bundle. To remediate, the vendor must replace the unbounded `strcpy` call with a bounded copy (e.g., `strncpy` or `snprintf`) and enforce a maximum length for the `wanSpeed` parameter. Without such a patch, an attacker can corrupt the stack and hijack control flow.

Preconditions

networkAttacker must have network access to the router's LAN interface (typically 192.168.0.0/24)
authNo authentication is required; the POST endpoint is exposed without session validation
inputThe attacker controls the 'wanSpeed' form parameter in the HTTP request

Reproduction

The bundle includes a raw PoC HTTP request. Send the following POST to `http://<router-ip>/goform/AdvSetMacMtuWan`:

``` POST /goform/AdvSetMacMtuWan HTTP/1.1 Host: 192.168.0.1 Content-Length: 751 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: password=jtc1qw

wanMTU=1500&wanSpeed=1AAAAA1AAAA...<751-byte payload>&cloneType=0&mac=B4:0F:3B:2E:64:19 ```

[ref_id=1]

Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.kdev.site/cve-request_005/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000