Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10191

CVE-2026-10191: Tenda W12 Buffer Overflow Vulnerability

CVE-2026-10191 is a stack-based buffer overflow flaw in Tenda W12 router that enables remote attackers to execute arbitrary code. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-10191 Overview

CVE-2026-10191 is a stack-based buffer overflow vulnerability in the Tenda W12 wireless access point running firmware version 3.0.0.7(4763). The flaw resides in the cgiWifiMacFilterSet function within the /bin/httpd binary. Attackers manipulate the wifiMacFilterSet.macList.mac argument to overflow a fixed-size buffer on the stack. The vulnerability is exploitable remotely over the network and requires low-level privileges. A public proof-of-concept exploit has been disclosed, increasing the risk of opportunistic attacks against exposed devices.

Critical Impact

Remote attackers with low privileges can corrupt stack memory in the Tenda W12 HTTP daemon, leading to denial of service or arbitrary code execution on the affected device.

Affected Products

  • Tenda W12 wireless access point
  • Firmware version 3.0.0.7(4763)
  • HTTP daemon binary /bin/httpd exposing the cgiWifiMacFilterSet handler

Discovery Timeline

  • 2026-05-31 - CVE-2026-10191 published to the National Vulnerability Database
  • 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10191

Vulnerability Analysis

The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). It affects the cgiWifiMacFilterSet handler in the /bin/httpd web management binary on the Tenda W12 access point. The handler processes Wi-Fi MAC filter configuration requests submitted through the device's web interface.

When the handler parses the wifiMacFilterSet.macList.mac parameter, it copies attacker-controlled input into a fixed-size stack buffer without enforcing length boundaries. Supplying an oversized value overwrites adjacent stack memory, including saved return addresses and frame pointers. The attack can be initiated remotely against the device's management interface, and a working exploit archive has been published.

Root Cause

The root cause is missing bounds checking on the mac field of the macList structure inside the cgiWifiMacFilterSet function. The web server reads the user-supplied MAC list value and writes it into a local buffer using an unbounded copy operation. Embedded HTTP daemons on consumer networking equipment frequently rely on functions such as strcpy or sprintf without input validation, which produces the stack corruption observed here.

Attack Vector

An authenticated attacker sends a crafted HTTP request to the device's management endpoint that handles Wi-Fi MAC filter configuration. The request includes an oversized value in the wifiMacFilterSet.macList.mac parameter. The malformed payload overflows the destination stack buffer, overwriting saved registers and the return address. Successful exploitation can redirect control flow to attacker-supplied shellcode or return-oriented programming gadgets within the firmware. The public proof-of-concept archive distributed through third-party mirrors demonstrates the overflow against a live device.

The vulnerability mechanism is described in prose because no verified exploit code from the vendor or a trusted research repository is available. Refer to the VulDB CVE-2026-10191 entry and VulDB Vulnerability #367472 for technical write-ups.

Detection Methods for CVE-2026-10191

Indicators of Compromise

  • HTTP POST or GET requests to the device management interface containing unusually long values in the wifiMacFilterSet.macList.mac parameter
  • Unexpected reboots, crashes, or watchdog restarts of the httpd process on Tenda W12 devices
  • Outbound connections from the access point to unknown hosts following management-plane activity
  • Presence of the exploit artifact cgiWifiMacFilterSet_overflow.zip observed in network captures or proxy logs

Detection Strategies

  • Inspect HTTP traffic to the device administrative interface for parameter values exceeding the standard 17-character MAC address format
  • Apply network intrusion identification signatures that flag oversized payloads targeting cgiWifiMacFilterSet URI paths
  • Correlate web management activity with subsequent service crashes or configuration changes on the device

Monitoring Recommendations

  • Forward syslog and HTTP access logs from Tenda W12 devices to a centralized logging or SIEM platform for parameter length analysis
  • Monitor management VLANs for unexpected sources reaching the device web interface
  • Alert on repeated authentication followed by malformed POST bodies sent to /goform/ or equivalent CGI endpoints exposed by /bin/httpd

How to Mitigate CVE-2026-10191

Immediate Actions Required

  • Restrict access to the Tenda W12 web management interface to trusted administrative networks only
  • Disable remote WAN-side administration if it is currently enabled on affected devices
  • Rotate administrative credentials, since the attack requires low-privileged authentication
  • Review device logs and configuration for signs of tampering or unauthorized MAC filter changes

Patch Information

No vendor patch has been published in the references available at the time of disclosure. Consult the Tenda official website for firmware updates addressing the cgiWifiMacFilterSet overflow. Until a fixed firmware image is released, treat the device as exposed and apply compensating network controls.

Workarounds

  • Place the access point behind a firewall that blocks inbound traffic to the management port from untrusted segments
  • Use access control lists to permit administrative HTTP requests only from designated management workstations
  • Disable the Wi-Fi MAC filter configuration feature through the web UI if it is not required in the deployment
  • Plan replacement of end-of-support hardware where vendor patches are unlikely to be issued
bash
# Example: restrict access to the device management interface using iptables on an upstream gateway
# Replace 10.0.0.0/24 with the trusted management subnet and 192.0.2.10 with the device IP
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 80 -j DROP
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.0.2.10 --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne