Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities Disclosed
Key findings • Thirteen vulnerabilities disclosed on June 8, 2026, affecting multiple Tenda router models. • Includes a critical (CVSSv3 9.8) stack-based buffer overflow in Tenda HG7HG9 and H…
Key findings
- Thirteen vulnerabilities disclosed on June 8, 2026, affecting multiple Tenda router models.
- Includes a critical (CVSSv3 9.8) stack-based buffer overflow in Tenda HG7HG9 and HG10 models (CVE-2026-11499).
- OS command injection vulnerability (CVE-2026-11556) found in Tenda F451 models.
- Multiple stack-based buffer overflows and Denial of Service vulnerabilities affect various Tenda devices.
- A medium-severity flaw (CVE-2026-11493) in Tenda AC15 leads to weak password requirements via Samba.
- Remote exploitation is possible for several of the disclosed high and critical severity vulnerabilities.
On June 8, 2026, a significant batch of thirteen vulnerabilities affecting various Tenda router models was disclosed, spanning a range of severities from medium to critical. The disclosures, clustered within an 11-hour window, highlight potential security weaknesses in Tenda's device firmware, with many flaws allowing for remote exploitation.
The majority of the disclosed vulnerabilities are stack-based buffer overflows, a common class of vulnerability that can lead to denial-of-service conditions or, more critically, remote code execution. These flaws were found across multiple Tenda models, including the F451, HG7HG9, HG10, AC18, W20E, CX12L, and AC1206.
Specifically, CVE-2026-11553, CVE-2026-11528, CVE-2026-11524, CVE-2026-11523, CVE-2026-11522, CVE-2026-11504, and CVE-2026-11503 all detail stack-based buffer overflows stemming from manipulations of various arguments within their respective web management interfaces or configuration endpoints. These vulnerabilities could allow remote attackers to crash the device or potentially execute arbitrary code.
Adding to the severity, CVE-2026-11499, rated critical with a CVSSv3 score of 9.8, is also a stack-based buffer overflow affecting Tenda HG7HG9 and HG10 models. This critical flaw arises from manipulation of the blkDomain argument in the formDOMAINBLK function. Another critical finding, CVE-2026-11556, involves OS command injection in the formWriteFacMac function of Tenda F451, allowing remote attackers to execute arbitrary commands by manipulating the mac argument.
Further compounding the issue, CVE-2026-36786 and CVE-2026-36789 describe stack overflows in Tenda FH451 and AC1206 models, respectively, which can lead to Denial of Service (DoS) conditions. These are triggered by crafted HTTP requests targeting specific functions like fromDhcpListClient and fromGstDhcpSetSer.
Beyond buffer overflows and command injection, CVE-2026-11493, a medium-severity vulnerability, affects Tenda AC15 models. This weakness lies within the Samba component and relates to weak password requirements, potentially allowing for unauthorized access within a local network.
While the provided information does not explicitly state which specific firmware versions were patched or if a universal fix was released, the widespread nature of these vulnerabilities across multiple models and functions suggests a significant security review may be warranted for Tenda device users. The disclosure of exploits for some of these vulnerabilities, as noted in the descriptions, emphasizes the urgency for users to investigate and apply any available updates from Tenda.