| Título | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow |
|---|
| Descrição | The formSetVlanInfo handler in /bin/httpd calls formSetRemoteVlanInfo (under certain conditions) which is vulnerable to multiple stack overflows due to the complete absence of user input sanitization and bounds checking on parameters ID, vlan, and port which can lead to corruption of data on the stack, hijacking of control flow, and DoS. The attack can be performed remotely.
The vulnerability is in the memcpy() calls with no bounds checking.
The following conditions must be satisfied for this vulnerability to be exploitable:
✅ 1. Router configured with ac.workmode=master
✅ 2. HTTP request includes Cookie header
✅ 3. Cookie contains devUid parameter
✅ 4. devUid format: devUid=IP:PORT;
✅ 5. IP must be valid dotted-quad format (xxx.xxx.xxx.xxx)
Send a POST request to the /goform/setVlanInfo endpoint to trigger the stack overflow in formSetRemoteVlanInfo |
|---|
| Fonte | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteVlanInfo.md |
|---|
| Utilizador | dwbruijn (UID 93926) |
|---|
| Submissão | 28/12/2025 17h31 (há 4 meses) |
|---|
| Moderação | 29/12/2025 09h01 (15 hours later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 338627 [Tenda M3 1.0.0.13(4903) /goform/setVlanInfo formSetRemoteVlanInfo ID/vlan/port Excesso de tampão] |
|---|
| Pontos | 20 |
|---|