CVE-2026-51600 in CP3
Summary
by MITRE • 07/09/2026
Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (including DESCRIBE, SETUP, and PLAY methods). When a request carrying a Content-Length header is received without a corresponding message body, the RTSP parser enters a persistent body-awaiting state, causing the affected TCP connection to become permanently non-functional. The device does not actively close the connection, resulting in a TCP resource leak. This issue can be exploited by an unauthenticated remote attacker to cause a denial-of-service condition.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability resides in the Tenda CP3 V3.0 router firmware version V31.1.9.91 where the RTSP service fails to properly validate Content-Length header fields in incoming requests. The flaw specifically affects RTSP methods including DESCRIBE, SETUP, and PLAY operations, creating a critical security weakness that can be exploited remotely without authentication. The device's RTSP parser demonstrates inadequate input validation behavior when processing requests containing Content-Length headers but lacking corresponding message bodies. When such malformed requests are received, the parser enters an indefinite waiting state expecting a body that will never arrive, effectively locking the TCP connection in a non-functional state.
The technical implementation flaw stems from improper handling of HTTP-style request parsing within the RTSP protocol context. According to CWE-129, this represents an input validation vulnerability where the system fails to properly validate the consistency between header fields and message content. The device's failure to maintain proper state management during RTSP request processing creates a resource exhaustion scenario that can be systematically exploited. This behavior aligns with ATT&CK technique T1499.004 for network denial-of-service attacks, where adversaries leverage protocol implementation weaknesses to consume system resources.
The operational impact of this vulnerability is significant as it enables unauthenticated remote attackers to cause persistent TCP connection leaks across the affected device's RTSP service. Each exploited connection consumes valuable TCP resources that cannot be reclaimed until the device is rebooted or the connection times out naturally. The persistent nature of this resource leak means that multiple attackers can sequentially exhaust available connections, leading to complete service disruption for legitimate users. This vulnerability particularly affects devices that expose RTSP services to external networks, making it a prime target for network-level DoS attacks.
Mitigation strategies should focus on implementing proper input validation within the RTSP parser component to ensure Content-Length header consistency with actual message body content. Network administrators should consider disabling RTSP services entirely if they are not actively required, as this eliminates the attack surface. Device firmware updates from Tenda should be prioritized to address the underlying parsing logic flaw. Additional network-level protections such as connection rate limiting and TCP connection tracking can help detect and prevent exploitation attempts. According to NIST SP 800-53 security controls, proper input validation and resource management should be implemented at protocol parsing layers to prevent similar vulnerabilities from being exploited in future scenarios.