| Title | Tenda CH22 V1.0.0.1 Buffer Over-read |
|---|
| Description | A critical stack buffer overflow vulnerability exists in the CH22 V1.0.0.1 firmware. The vulnerability is located in the fromqossetting function handling QoS settings. The application retrieves the page parameter from the HTTP request via sub_28B84 and passes it to a sprintfcall:sprintf(s, "qos_list.asp?page=%s", v8);. The buffer shas a fixed size of 256 bytes. An unauthenticated remote attacker can send a crafted HTTP request with an excessively longpageparameter (e.g., > 256 bytes), causing thesprintf` function to overflow the stack buffer. |
|---|
| Source | ⚠️ https://github.com/master-abc/cve/blob/main/Tenda%20CH22%20V1.0.0.1%20Router%20Stack%20Buffer%20Overflow%20in%20fromqossetting%20function.md |
|---|
| User | jiefengliang (UID 93721) |
|---|
| Submission | 12/22/2025 08:37 (4 months ago) |
|---|
| Moderation | 12/24/2025 17:50 (2 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 277436 [Tenda CH22 1.0.0.6(468) /goform/fromqossetting qos stack-based overflow] |
|---|
| Points | 0 |
|---|