CVE-2026-51606 in CP3info

Summary

by MITRE • 07/09/2026

An improper input handling vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) causes the device to abruptly terminate the TCP connection with a RST packet when a request containing an oversized field value is received, without returning any RFC 2326-compliant error response. This behavior affects the request-line URL field and header field values across multiple RTSP request types.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a classic input validation flaw that manifests in the Real Time Streaming Protocol service of Tenda CP3 V3.0 devices running firmware version V31.1.9.91. The issue stems from inadequate handling of oversized field values within RTSP requests, specifically affecting both the request-line URL field and various header field values across multiple RTSP request types. When malformed requests containing excessive data are processed by the device's RTSP service, the system responds by abruptly terminating TCP connections through RST packet generation rather than implementing proper error handling mechanisms. This behavior deviates significantly from RFC 2326 compliance standards which require servers to return appropriate error responses when encountering malformed requests. The vulnerability falls under CWE-20, which categorizes improper input validation as a fundamental weakness in software design and implementation. From an operational perspective, this flaw creates a denial of service condition where legitimate users may experience intermittent connectivity issues or complete service interruption when the device encounters oversized RTSP requests. The abrupt connection termination without proper error signaling makes it difficult for network administrators to diagnose the root cause of service disruptions, as the device fails to provide meaningful diagnostic information that would normally be included in RFC 2326-compliant error responses.

The technical implications of this vulnerability extend beyond simple service disruption to create potential security risks within network infrastructure. When a device consistently terminates TCP connections without proper error handling, it can be exploited by malicious actors to perform denial of service attacks against RTSP services, particularly in environments where these devices serve as streaming media servers or surveillance equipment. The behavior aligns with ATT&CK technique T1498 which involves network disruption attacks that can be performed through various means including malformed requests that cause service unavailability. Network monitoring systems may struggle to differentiate between legitimate connection terminations and those caused by this vulnerability, potentially masking actual security incidents. The specific nature of the flaw affects multiple RTSP request types, indicating a systemic issue within the protocol handling logic rather than an isolated incident. This suggests that attackers could craft various malformed requests targeting different aspects of the RTSP implementation, making the vulnerability more broadly exploitable across different streaming scenarios and potentially affecting other network services that rely on similar connection management patterns.

The operational impact of this vulnerability creates significant challenges for system administrators who must maintain reliable RTSP services while dealing with unpredictable connection terminations. Devices may experience intermittent service degradation or complete unavailability during periods when oversized requests are processed, particularly in environments where automated monitoring systems or malicious actors actively probe network infrastructure. The lack of RFC 2326-compliant error responses means that troubleshooting becomes significantly more complex as standard diagnostic procedures cannot be effectively applied to identify the root cause of connection failures. This vulnerability also impacts network reliability metrics since connection drops are not properly logged or reported, making it difficult to implement effective monitoring and alerting systems. Organizations relying on Tenda CP3 devices for streaming applications may experience service interruptions that affect video surveillance, live streaming, or other time-sensitive applications where consistent connectivity is critical. The vulnerability's presence in firmware version V31.1.9.91 indicates that this was likely an unpatched issue that required firmware updates to address the improper input handling behavior, highlighting the importance of regular firmware maintenance and security updates for network devices. From a broader security perspective, this flaw demonstrates how seemingly minor input validation issues can create significant operational problems and potentially expose networks to more sophisticated attacks that exploit similar connection management vulnerabilities.

Responsible

MITRE

Reservation

06/08/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!