{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/stack-based-buffer-overflow/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5686"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-5686","tenda","router","stack-based buffer overflow","remote code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5686 is a critical vulnerability affecting Tenda CX12L routers running firmware version 16.03.53.12. This stack-based buffer overflow is located in the \u003ccode\u003efromRouteStatic\u003c/code\u003e function within the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e file. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request with a malicious \u003ccode\u003epage\u003c/code\u003e argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could lead to arbitrary code execution, potentially allowing attackers to gain full control of the affected router. This poses a significant risk to home and small business networks using the vulnerable device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tenda CX12L router running firmware version 16.03.53.12.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epage\u003c/code\u003e argument with a string exceeding the buffer size allocated to the \u003ccode\u003efromRouteStatic\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003epage\u003c/code\u003e argument overwrites adjacent memory on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003efromRouteStatic\u003c/code\u003e function returns, it attempts to jump to the overwritten return address controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload, injected via the overflowed buffer, is executed with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution on the router.\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the compromised router as a foothold for further attacks, such as network reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5686 allows a remote attacker to execute arbitrary code on the affected Tenda CX12L router. This could lead to a complete compromise of the device, enabling attackers to modify router settings, intercept network traffic, or use the router as a proxy for malicious activities. Given the widespread use of Tenda routers in home and small business networks, this vulnerability could have a significant impact, potentially affecting thousands of users. A successful attack could lead to data breaches, service disruptions, and further compromise of connected devices within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Tenda to address CVE-2026-5686.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eRestrict access to the router\u0026rsquo;s administrative interface to trusted networks or IP addresses to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eRegularly review router configurations and security settings to ensure they align with best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T22:16:24Z","date_published":"2026-04-06T22:16:24Z","id":"/briefs/2026-04-tenda-cx12l-stack-overflow/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-5686) exists in the Tenda CX12L router version 16.03.53.12, allowing remote attackers to potentially execute arbitrary code by manipulating the 'page' argument in the `/goform/RouteStatic` endpoint.","title":"Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5686)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-cx12l-stack-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-47391"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2025-47391","memory corruption","qualcomm","stack-based buffer overflow"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-47391 is a critical memory corruption vulnerability affecting Qualcomm products. The vulnerability stems from a stack-based buffer overflow (CWE-121) triggered during the processing of a frame request. The vulnerability is detailed in the Qualcomm Security Bulletin for April 2026. A successful exploit could lead to arbitrary code execution within the context of the affected process. This vulnerability poses a significant risk to devices utilizing vulnerable Qualcomm components, potentially allowing attackers to gain unauthorized access and control. Defenders should prioritize identifying affected devices and applying necessary patches as soon as they become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince no specific exploit details are provided in the source, the following attack chain describes the general steps involved in exploiting a stack-based buffer overflow when processing a frame request.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious frame request.\u003c/li\u003e\n\u003cli\u003eThe frame request is sent to the vulnerable Qualcomm component.\u003c/li\u003e\n\u003cli\u003eThe component\u0026rsquo;s software processes the frame request.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs due to insufficient bounds checking when handling the request.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites adjacent memory on the stack, including return addresses.\u003c/li\u003e\n\u003cli\u003eUpon function return, execution is redirected to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code, potentially gaining control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-47391 can lead to arbitrary code execution, potentially allowing an attacker to gain complete control over the affected device. Given the widespread use of Qualcomm components in mobile devices and other embedded systems, the impact could be significant, affecting a large number of users. The memory corruption vulnerability could allow for data theft, device compromise, and denial of service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious frame requests targeting Qualcomm-based devices, and deploy the network connection rule below to detect unusual outbound activity after potential exploitation.\u003c/li\u003e\n\u003cli\u003eAnalyze process memory for unusual code execution patterns, and implement the process creation rule to detect unexpected processes being launched.\u003c/li\u003e\n\u003cli\u003eReview and apply the security updates provided in the Qualcomm Security Bulletin for April 2026 to patch CVE-2025-47391.\u003c/li\u003e\n\u003cli\u003eMonitor for registry modifications indicative of persistence, using the registry_set rule below to detect unusual registry changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:27Z","date_published":"2026-04-06T16:16:27Z","id":"/briefs/2026-04-cve-2025-47391/","summary":"CVE-2025-47391 is a memory corruption vulnerability due to a stack-based buffer overflow (CWE-121) while processing a frame request, as detailed in the Qualcomm security bulletin for April 2026, potentially leading to arbitrary code execution.","title":"CVE-2025-47391 Qualcomm Memory Corruption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2025-47391/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32925"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-32925","stack-based-buffer-overflow","v-sft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eV-SFT versions 6.2.10.0 and earlier are susceptible to a critical stack-based buffer overflow vulnerability identified as CVE-2026-32925. This flaw resides within the \u003ccode\u003eVS6ComFile!CV7BaseMap::WriteV7DataToRom\u003c/code\u003e function. The vulnerability is triggered when the software processes a specially crafted V7 file. A successful exploit could allow an attacker to execute arbitrary code within the context of the application. This poses a significant risk to systems utilizing affected versions of V-SFT, as it could lead to complete system compromise. The vulnerability was reported to JPCERT/CC and assigned CWE-121, highlighting the classic stack-based buffer overflow nature of the issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious V7 file designed to exploit the buffer overflow in \u003ccode\u003eVS6ComFile!CV7BaseMap::WriteV7DataToRom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user opens the malicious V7 file using a vulnerable version of V-SFT (6.2.10.0 or prior).\u003c/li\u003e\n\u003cli\u003eV-SFT attempts to parse the V7 file, specifically calling the \u003ccode\u003eCV7BaseMap::WriteV7DataToRom\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the \u003ccode\u003eWriteV7DataToRom\u003c/code\u003e function execution, the crafted V7 file provides input that exceeds the buffer size allocated on the stack.\u003c/li\u003e\n\u003cli\u003eThe excessive input overwrites adjacent memory locations on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eUpon completion of the \u003ccode\u003eWriteV7DataToRom\u003c/code\u003e function, control is transferred to the overwritten return address.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects code execution to a location containing malicious code injected into the process memory.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the V-SFT application, potentially leading to complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32925 allows an attacker to execute arbitrary code on systems running vulnerable versions of V-SFT (6.2.10.0 and prior). This could result in complete system compromise, data theft, or denial of service. The exact number of potential victims is unknown, but the severity is high due to the potential for arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a non-vulnerable version of V-SFT as provided by the vendor (Fujielectric). Refer to the vendor advisory (\u003ca href=\"https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb\"\u003ehttps://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for V-SFT spawning unusual child processes, which might indicate successful code execution. Utilize the Sigma rule \u0026ldquo;Detect Suspicious V-SFT Child Processes\u0026rdquo; to identify such behavior.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring for the V-SFT executable and related libraries to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T23:17:02Z","date_published":"2026-04-01T23:17:02Z","id":"/briefs/2026-04-v-sft-buffer-overflow/","summary":"V-SFT versions 6.2.10.0 and prior are vulnerable to a stack-based buffer overflow (CVE-2026-32925) in the VS6ComFile!CV7BaseMap::WriteV7DataToRom function, potentially leading to arbitrary code execution when processing a crafted V7 file.","title":"V-SFT v6.2.10.0 Stack-Based Buffer Overflow (CVE-2026-32925)","url":"https://feed.craftedsignal.io/briefs/2026-04-v-sft-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4567","stack-based buffer overflow","tenda","router","remote code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical stack-based buffer overflow vulnerability, identified as CVE-2026-4567, has been discovered in Tenda A15 wireless routers running firmware version 15.13.07.13. The vulnerability resides in the \u003ccode\u003eUploadCfg\u003c/code\u003e function within the \u003ccode\u003e/cgi-bin/UploadCfg\u003c/code\u003e file, which handles file uploads.  A remote attacker can exploit this flaw by crafting a malicious request to the router, specifically targeting the \u003ccode\u003eFile\u003c/code\u003e argument, to overwrite the stack buffer and potentially gain arbitrary code execution…\u003c/p\u003e\n","date_modified":"2026-03-23T03:16:00Z","date_published":"2026-03-23T03:16:00Z","id":"/briefs/2026-03-tenda-a15-bo/","summary":"A stack-based buffer overflow vulnerability (CVE-2026-4567) exists in the UploadCfg function of the /cgi-bin/UploadCfg file in Tenda A15 firmware version 15.13.07.13, allowing remote attackers to execute arbitrary code by manipulating the File argument.","title":"Tenda A15 Router Stack-Based Buffer Overflow (CVE-2026-4567)","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-a15-bo/"}],"language":"en","title":"CraftedSignal Threat Feed — Stack-Based-Buffer-Overflow","version":"https://jsonfeed.org/version/1.1"}