Primary

Context

Tenda AC6 Stack Overflow Vulnerability in saveParentControlInfo Function

Vulnerability

A stack overflow vulnerability has been identified in the Tenda AC6 router, specifically in the firmware version V15.03.06.23_multi. The issue arises in the saveParentControlInfo function, where user-supplied data in the deviceName parameter is not properly validated, allowing for a buffer overflow on the stack.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly result in arbitrary code execution or causing the device to crash.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /goform/saveParentControlInfo endpoint. The request must include a crafted deviceName parameter that exceeds the buffer limit, causing a stack overflow. This can be done by using a deviceName value that is significantly longer than the maximum allowed size.

Added: Aug 20, 2025, 2:24 PM

Updated: Aug 20, 2025, 2:44 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

6.2

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tenda AC6 Stack Overflow Vulnerability in saveParentControlInfo Function

Vulnerability

Impact

Reproduction

Affected Products

Tenda AC6

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating