| Title | Tenda M3 V1.0.0.13(4903) Stack-based Buffer Overflow |
|---|
| Description | The formSetDhcpForAp handler in /bin/httpd calls formSetRemoteDhcpForAp which is vulnerable to multiple stack overflows due to the absence of user input sanitization and bounds checking on parameters startip, endip, leasetime, gateway, dns1, and dns2 which can lead to corruption of data on the stack, hijacking of control flow, and DoS. The attack can be performed remotely.
The vulnerability is in the memcpy() calls with no bounds checking.
The router must be configured with ac.workmode=master (default) for this vulnerability to be exploitable.
Send a POST request to the /goform/setDhcpAP endpoint to trigger the stack overflow in formSetRemoteDhcpForAp and we can deliver the payload using any of the 6 parameters |
|---|
| Source | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Tenda/setRemoteDhcpForAp.md |
|---|
| User | dwbruijn (UID 93926) |
|---|
| Submission | 12/28/2025 17:49 (3 months ago) |
|---|
| Moderation | 12/29/2025 10:17 (16 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 338642 [Tenda M3 1.0.0.13(4903) /goform/setDhcpAP formSetRemoteDhcpForAp startip/endip/leasetime/gateway/dns1/dns2 stack-based overflow] |
|---|
| Points | 20 |
|---|