{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5605/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5605"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-5605","buffer-overflow","tenda"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, identified as CVE-2026-5605, affects Tenda CH22 router version 1.0.0.1. This flaw resides in the \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function within the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e file. A remote, unauthenticated attacker can exploit a stack-based buffer overflow by sending a crafted HTTP request with a malicious value for the \u003ccode\u003eGO\u003c/code\u003e argument. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows the attacker to potentially execute arbitrary code on the device, leading to a complete compromise of the router and the network it serves.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda CH22 router running firmware version 1.0.0.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003eGO\u003c/code\u003e argument with a string exceeding the expected buffer size in the \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s web server receives the request and passes the \u003ccode\u003eGO\u003c/code\u003e argument to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function attempts to copy the oversized \u003ccode\u003eGO\u003c/code\u003e argument into a fixed-size buffer on the stack.\u003c/li\u003e\n\u003cli\u003eThis write operation overflows the buffer, overwriting adjacent memory regions, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformWrlExtraSet\u003c/code\u003e function returns, it jumps to the address overwritten by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s injected code executes with the privileges of the web server process, potentially allowing full control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5605 can lead to complete compromise of the Tenda CH22 router. This includes unauthorized access to network traffic, modification of router settings, and the potential for the router to be used as a pivot point for further attacks within the network. Given the ease of exploitation and the public availability of exploits, a large number of devices are potentially at risk, impacting both home and small business users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e with unusually long \u003ccode\u003eGO\u003c/code\u003e parameter values to detect potential exploitation attempts. Use the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to \u003ccode\u003e/goform/WrlExtraSet\u003c/code\u003e to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eSince there is no patch available, consider replacing affected Tenda CH22 1.0.0.1 routers with devices from vendors with timely security updates.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T12:00:00Z","date_published":"2026-04-06T12:00:00Z","id":"/briefs/2026-04-tenda-ch22-buffer-overflow/","summary":"A stack-based buffer overflow vulnerability in Tenda CH22 version 1.0.0.1 allows a remote attacker to execute arbitrary code by manipulating the 'GO' argument in the formWrlExtraSet function via the /goform/WrlExtraSet endpoint.","title":"Tenda CH22 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-ch22-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-5605","version":"https://jsonfeed.org/version/1.1"}