{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5604/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5604"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5604","buffer-overflow","tenda","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5604 details a critical security vulnerability affecting Tenda CH22 router version 1.0.0.1. The vulnerability is a stack-based buffer overflow located in the \u003ccode\u003eformCertLocalPrecreate\u003c/code\u003e function within the \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e file, which handles parameters. Attackers can exploit this flaw by manipulating the \u003ccode\u003estandard\u003c/code\u003e argument. The vulnerability can be triggered remotely, meaning an attacker does not need local access to the device. Given that a public exploit is available, this vulnerability poses a significant risk to users of the affected Tenda CH22 router. This allows unauthenticated attackers to potentially gain full control of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tenda CH22 router version 1.0.0.1 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes an overly long string as the value for the \u003ccode\u003estandard\u003c/code\u003e parameter in the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe Tenda CH22 router receives the malicious request and passes the \u003ccode\u003estandard\u003c/code\u003e parameter to the \u003ccode\u003eformCertLocalPrecreate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformCertLocalPrecreate\u003c/code\u003e function copies the oversized \u003ccode\u003estandard\u003c/code\u003e argument into a fixed-size buffer on the stack without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThis causes a stack-based buffer overflow, overwriting adjacent memory regions, including the return address of the function.\u003c/li\u003e\n\u003cli\u003eThe attacker controls the overwritten return address to point to attacker-controlled code injected into memory, or to a Return-Oriented Programming (ROP) chain.\u003c/li\u003e\n\u003cli\u003eUpon function return, execution is redirected to the attacker\u0026rsquo;s code, allowing them to execute arbitrary commands on the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5604 allows a remote, unauthenticated attacker to execute arbitrary code on the Tenda CH22 router. This could lead to a complete compromise of the device, allowing the attacker to gain control over network traffic, modify router settings, or use the device as part of a botnet. Given the wide deployment of Tenda routers, a large number of devices could be vulnerable, making this a high-impact vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e with unusually long \u003ccode\u003estandard\u003c/code\u003e parameters to identify potential exploit attempts (see rule: \u0026ldquo;Detect Tenda CH22 Buffer Overflow Attempt via Long Standard Parameter\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/goform/CertLocalPrecreate\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply any available firmware updates from Tenda to patch CVE-2026-5604.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda CH22 Router POST Request to CertLocalPrecreate\u0026rdquo; to identify suspicious POST requests to the affected endpoint and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T23:16:20Z","date_published":"2026-04-05T23:16:20Z","id":"/briefs/2026-04-tenda-ch22-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5604) in Tenda CH22 1.0.0.1 allows remote attackers to execute arbitrary code by manipulating the 'standard' argument in the formCertLocalPrecreate function of the /goform/CertLocalPrecreate file within the Parameter Handler component.","title":"Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-ch22-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5604","version":"https://jsonfeed.org/version/1.1"}