| Titre | Tenda HG9 V300001138 Stack-based Buffer Overflow |
|---|
| Description | During a security review of the Tenda HG9 router firmware (version V300001138), a stack-based buffer overflow vulnerability was identified in the IPv6 diagnostic ping endpoint /boaform/formPing6.
The vulnerability exists in the error handling path of the formPing6 function. The function executes a ping6 command using the user-supplied pingAddr. If the command execution returns an error message containing "ping6: bad", the function attempts to format a user-friendly error message using sprintf into a local stack buffer named v13.
The destination buffer v13 is defined as an array of 128 DWORDs, which is equivalent to 512 bytes. However, the sprintf function directly copies the user-supplied pingAddr into this buffer without checking its length. If an attacker provides a pingAddr string that is significantly longer than 512 bytes (and triggers the "ping6: bad" error condition), the sprintf function will write past the end of the buffer, overwriting the return address and causing a crash or potential Remote Code Execution (RCE). |
|---|
| La source | ⚠️ https://github.com/QIU-DIE/cve-nneeww/issues/12 |
|---|
| Utilisateur | LINXI666 (UID 91556) |
|---|
| Soumission | 10/02/2026 08:38 (il y a 3 mois) |
|---|
| Modérer | 20/02/2026 21:15 (11 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 347219 [Tenda HG9 300001138 /boaform/formPing6 pingAddr buffer overflow] |
|---|
| Points | 20 |
|---|