VYPR
advisoryPublished Jun 19, 2026· Updated Jun 20, 2026· 1 source

Tenda AC7: Four Stack Buffer Overflow CVEs Hit Same Router Endpoint

Key findings • All four CVEs are stack buffer overflows in the same /goform/AdvSetMacMtuWan endpoint • Firmware version 15.03.06.44 is affected; no patched build has been released yet • R…

Key findings

  • All four CVEs are stack buffer overflows in the same /goform/AdvSetMacMtuWan endpoint
  • Firmware version 15.03.06.44 is affected; no patched build has been released yet
  • Remote code execution is possible if the router's web interface is exposed
  • Each CVE targets a distinct parameter: wanSpeed, wanMTU, cloneType, and mac
  • No active exploitation reported as of the June 19 disclosure date

Four stack buffer overflow vulnerabilities were disclosed on June 19, 2026, affecting the Tenda AC7 router running firmware version 15.03.06.44. All four CVEs reside in the same /goform/AdvSetMacMtuWan interface, making this a tightly clustered disclosure event that exposes a single attack surface to remote code execution. Given the AC7's widespread deployment as a consumer router, the batch represents a significant risk for home and small-office networks.

Each CVE targets a different parameter passed to the AdvSetMacMtuWan handler, but the root cause is identical: the firmware fails to validate input length before copying data into fixed-size stack buffers. CVE-2026-51846 exploits the wanSpeed parameter, CVE-2026-51843 the wanMTU parameter, CVE-2026-51844 the cloneType parameter, and CVE-2026-51845 the mac parameter. An unauthenticated attacker on the local network — or potentially from the WAN side if remote management is enabled — can send crafted HTTP POST requests to trigger the overflow and achieve arbitrary code execution with kernel-level privileges.

The disclosure did not include reports of active exploitation in the wild as of the publication date. However, the attack vector is well understood: stack buffer overflows in embedded router firmware are routinely weaponized by botnets such as Mirai and its variants. The fact that all four bugs share the same endpoint means a single exploit chain could test multiple parameters, increasing the reliability of a successful compromise.

Tenda has not yet released a patched firmware version for the AC7 as of the disclosure date. Users are advised to disable remote administration, restrict LAN access to trusted devices, and monitor the Tenda support portal for an update. The affected firmware, v15.03.06.44, is the latest publicly available build for the AC7, meaning all current installations are vulnerable until a fix ships.

This batch underscores a recurring pattern in consumer IoT security: a single form handler harboring multiple unchecked parameters, each independently exploitable. For Tenda AC7 owners, the immediate takeaway is that the router's WAN/MTU configuration page should not be reachable from untrusted network segments. Until a firmware update arrives, the only reliable mitigation is to replace or isolate the device.

Synthesized by Vypr AI