Tenda F1202 GstDhcpSetSerof formGstDhcpSetSer stack-based overflow
Description
A vulnerability was determined in Tenda F1202 1.2.0.20(408). Affected by this issue is the function formGstDhcpSetSer of the file /goform/GstDhcpSetSerof. Executing a manipulation of the argument dips can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda F1202 firmware 1.2.0.20(408) has a stack-based buffer overflow in formGstDhcpSetSer via the dips argument, enabling remote code execution.
Vulnerability
The vulnerability resides in Tenda F1202 firmware version 1.2.0.20(408) within the httpd binary. The function formGstDhcpSetSer in the file /goform/GstDhcpSetSerof handles the dips argument without proper length validation. When the dips parameter is passed to a sprintf-style function into a stack buffer, the lack of bounds checking leads to a stack-based buffer overflow [1].
Exploitation
The attacker must be able to send HTTP POST requests to the router’s web interface. No authentication is required, as the vulnerable endpoint is exposed. By crafting a POST request to /goform/GstDhcpSetSerof with an overly long dips argument, the stack buffer overflows. A publicly disclosed proof of concept demonstrates a similar overflow in the related formSafeEmailFilter function [1].
Impact
Successful exploitation allows an unauthenticated remote attacker to overwrite adjacent stack memory. This can lead to denial of service (device crash) or arbitrary code execution at the privilege level of the httpd process, giving the attacker full control over the router [1].
Mitigation
No fixed version has been released by Tenda as of the publication date. Users should monitor the vendor’s support page [2] for a firmware update. Until a patch is available, restrict external access to the router’s management interface and disable remote administration if possible.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation in `fromSafeEmailFilter` allows unbounded `sprintf` copy of the `page` parameter into a stack buffer."
Attack vector
An attacker sends a crafted POST request to `/goform/SafeEmailFilter` with an overly long `page` parameter. The `fromSafeEmailFilter` function copies this attacker-controlled string into a fixed stack buffer via `sprintf` without bounds checking, causing a stack-based buffer overflow [ref_id=1]. The attack is launched remotely over HTTP and requires no authentication beyond network access to the router's web interface.
Affected code
The vulnerability is in the `fromSafeEmailFilter` function of the httpd binary on the Tenda F1202 router (version 1.2.0.20(408)). The function reads a user-provided `page` parameter and passes it to `sprintf` without any length check, overflowing the stack-based buffer `s` [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or commit diff. To remediate, the `fromSafeEmailFilter` function should validate the length of the `page` parameter before passing it to `sprintf`, or use a bounded copy function such as `snprintf` to prevent stack buffer overflow [ref_id=1].
Preconditions
- networkAttacker must have network access to the router's HTTP management interface
- authNo authentication required; the vulnerable endpoint is reachable without valid credentials
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/Litengzheng/vuldb_new2/blob/main/F1202/vul_32/README.mdmitreexploit
- vuldb.com/submit/813915mitrethird-party-advisory
- vuldb.com/vuln/365411mitrevdb-entrytechnical-description
- vuldb.com/vuln/365411/ctimitresignaturepermissions-required
- www.tenda.com.cnmitreproduct
News mentions
0No linked articles in our index yet.