Tenda F456 L7Im frmL7ImForm buffer overflow
Description
A security vulnerability has been detected in Tenda F456 1.0.0.5. This affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda F456 1.0.0.5 has a stack-based buffer overflow in the `frmL7ImForm` function, allowing remote denial-of-service or RCE.
Vulnerability
A stack-based buffer overflow exists in the frmL7ImForm function within the /goform/L7Im endpoint of Tenda F456 firmware version 1.0.0.5 [1]. The function reads the user-controlled page argument and passes it to sprintf without length checking, writing into a fixed-size stack buffer s. This occurs in the httpd binary handling requests to the L7Im form [1].
Exploitation
An attacker can send a crafted POST request to /goform/L7Im with an overly long page parameter [1]. The proof-of-concept demonstrates sending 2319 bytes of payload in the page field via a standard HTTP POST [1]. No authentication or prior session is required; the request can be made remotely from any network position to the vulnerable router [1]. The attack requires no user interaction beyond the target device serving the web interface.
Impact
Successful exploitation overwrites the stack buffer, corrupting memory and allowing remote code execution (RCE) or denial-of-service (DoS) [1]. The attacker gains arbitrary code execution within the context of the httpd process, which typically runs with root privileges on embedded routers, leading to full device compromise [1].
Mitigation
No official fix has been released as of the publication date. The vendor's download page is available at [2], but no updated firmware version is listed. Users should monitor Tenda's support channels for a patched release. As a workaround, restrict access to the router's management interface to trusted internal networks only, or disable remote management if not needed [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation on the user-supplied `page` argument before `sprintf` copies it into a stack buffer, causing a buffer overflow."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/goform/L7Im` with an overly long `page` parameter. The httpd process copies the attacker-controlled string into a fixed stack buffer via `sprintf` with no bounds checking, overflowing adjacent stack memory. This can corrupt return addresses or other critical data, leading to denial of service or remote code execution [ref_id=1].
Affected code
The vulnerability resides in the `frmL7ImForm` function inside the httpd binary, reachable via the `/goform/L7Im` endpoint. The function reads the user-supplied `page` parameter and passes it to `sprintf` without any length check, causing a stack-based buffer overflow on the local buffer `s` [ref_id=1].
What the fix does
No patch has been published by Tenda for this vulnerability. The advisory [ref_id=1] recommends that developers add length validation on the `page` parameter before passing it to `sprintf`, or replace the unbounded `sprintf` with a bounded function such as `snprintf` to prevent stack overflow.
Preconditions
- configThe target device must be running Tenda F456 firmware version 1.0.0.5 with the httpd web server exposed.
- networkThe attacker must be able to send HTTP POST requests to the /goform/L7Im endpoint (network reachability).
- authNo authentication is required; the endpoint is accessible without valid credentials.
- inputThe attacker supplies an arbitrarily long 'page' parameter value in the POST body.
Reproduction
Send a POST request to `http://
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new/blob/main/F456/vul_2/README.mdmitreexploit
- vuldb.com/submit/813444mitrethird-party-advisory
- vuldb.com/vuln/365352mitrevdb-entrytechnical-description
- vuldb.com/vuln/365352/ctimitresignaturepermissions-required
- www.tenda.com.cnmitreproduct
News mentions
0No linked articles in our index yet.