{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5154/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5154"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5154","tenda","buffer-overflow","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-5154, has been discovered in Tenda CH22 firmware version 1.0.0.1/1.If. The vulnerability resides within the \u003ccode\u003efromSetCfm\u003c/code\u003e function in the \u003ccode\u003e/goform/setcfm\u003c/code\u003e file, a component of the Parameter Handler. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to affected Tenda CH22 devices, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda CH22 device running firmware version 1.0.0.1/1.If.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/setcfm\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003efuncname\u003c/code\u003e argument containing a string exceeding the buffer size allocated to it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSetCfm\u003c/code\u003e function processes the malicious \u003ccode\u003efuncname\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003efuncname\u003c/code\u003e value overflows the stack buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the return address on the stack with an address pointing to malicious code or a ROP chain.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromSetCfm\u003c/code\u003e function returns, causing execution to jump to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the device, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the affected Tenda CH22 device. This can result in complete device compromise, allowing the attacker to control the device, steal sensitive information, or use the device as a foothold for further attacks on the network. Given the availability of public exploits, a large number of devices could be compromised if left unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/setcfm\u003c/code\u003e with unusually long \u003ccode\u003efuncname\u003c/code\u003e parameters, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to \u003ccode\u003e/goform/setcfm\u003c/code\u003e to mitigate potential brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply any available patches or firmware updates from Tenda to address CVE-2026-5154.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T23:17:04Z","date_published":"2026-03-30T23:17:04Z","id":"/briefs/2026-03-tenda-ch22-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability exists in Tenda CH22 1.0.0.1/1.If allowing remote attackers to execute arbitrary code by manipulating the `funcname` argument in the `/goform/setcfm` endpoint.","title":"Tenda CH22 Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ch22-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5154","version":"https://jsonfeed.org/version/1.1"}