Tenda F451 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5992)
Tenda F451 version 1.0.0.7 is vulnerable to a stack-based buffer overflow in the fromP2pListFilter function, allowing remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/P2pListFilter file.
CVE-2026-5992 is a critical stack-based buffer overflow vulnerability affecting Tenda F451 version 1.0.0.7. The vulnerability resides within the fromP2pListFilter function of the /goform/P2pListFilter file. Attackers can remotely exploit this flaw by manipulating the page argument, potentially leading to arbitrary code execution. Publicly available exploits exist, increasing the likelihood of exploitation. Given the prevalence of Tenda routers and the ease of remote exploitation, this vulnerability poses a significant risk to home and small business networks. Successful exploitation could allow attackers to gain complete control of the affected device, leading to data theft, network compromise, and potential use in botnet activities. Defenders should prioritize detection and mitigation efforts to prevent exploitation.
Attack Chain
- The attacker identifies a vulnerable Tenda F451 router running firmware version 1.0.0.7.
- The attacker crafts a malicious HTTP request targeting the
/goform/P2pListFilterendpoint. - The crafted request includes a
pageargument with a payload exceeding the buffer size allocated for it in thefromP2pListFilterfunction. - The router processes the malicious HTTP request, triggering the stack-based buffer overflow within the
fromP2pListFilterfunction due to insufficient bounds checking on thepageargument. - The overflow overwrites adjacent memory regions on the stack, including the return address.
- When the
fromP2pListFilterfunction returns, it jumps to the address overwritten by the attacker-controlled payload. - The attacker-controlled payload executes arbitrary code on the router, such as downloading and executing a malicious binary from a remote server or modifying router configuration.
- The attacker gains complete control of the router, enabling them to perform malicious activities such as eavesdropping on network traffic, modifying DNS settings, or using the router as part of a botnet.
Impact
Successful exploitation of CVE-2026-5992 allows remote attackers to gain complete control of vulnerable Tenda F451 routers. This can lead to a variety of malicious activities, including data theft, network compromise, and botnet recruitment. Given the widespread use of Tenda routers, a large number of devices are potentially at risk. If attackers successfully exploit this vulnerability, they can perform man-in-the-middle attacks, redirect users to malicious websites, and compromise connected devices on the network.
Recommendation
- Monitor web server logs for HTTP requests targeting the
/goform/P2pListFilterendpoint with unusually longpageparameters to detect potential exploitation attempts. Use the Sigma ruleTenda F451 P2P Filter Buffer Overflow Attemptto identify this behavior. - Deploy network intrusion detection systems (IDS) rules to detect exploitation attempts targeting CVE-2026-5992.
- Unfortunately, there is no patch available as of this writing, and the device is end-of-life. Consider replacing the affected device.
Detection coverage 2
Tenda F451 P2P Filter Buffer Overflow Attempt
criticalDetects attempts to exploit the stack-based buffer overflow vulnerability (CVE-2026-5992) in the Tenda F451 router by monitoring HTTP requests to the /goform/P2pListFilter endpoint with overly long 'page' parameters.
Tenda F451 Unauthorized Access to P2P Filter
mediumDetects unauthorized attempts to access the P2P filter configuration page on Tenda F451 routers, which may indicate reconnaissance or exploitation attempts.
Detection queries are available on the platform. Get full rules →