CVE-2026-11528: Tenda AC18 Buffer Overflow Vulnerability

CVE-2026-11528 Overview

CVE-2026-11528 is a stack-based buffer overflow vulnerability affecting the Tenda AC18 router running firmware version 15.03.05.05. The flaw resides in the sub_45304 function reachable through the /goform/getRebootStatus endpoint of the Web Management Interface. Attackers manipulate the callback argument to overflow a fixed-size stack buffer. The issue is exploitable over the network, and a public proof-of-concept has been released, increasing the likelihood of opportunistic exploitation against exposed devices.

Critical Impact

Remote attackers with low-privilege access can trigger a stack-based buffer overflow on Tenda AC18 routers, potentially leading to arbitrary code execution or denial of service on the device.

Affected Products

• Tenda AC18 router, firmware version 15.03.05.05
• Web Management Interface component handling /goform/getRebootStatus
• Internal function sub_45304 processing the callback parameter

Discovery Timeline

• 2026-06-08 - CVE-2026-11528 published to the National Vulnerability Database
• 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-11528

Vulnerability Analysis

The vulnerability is classified under [CWE-119] as an improper restriction of operations within the bounds of a memory buffer. The Tenda AC18 web management daemon exposes the /goform/getRebootStatus handler, which internally calls sub_45304 to process query parameters. The callback parameter, typically used for JSONP-style response wrapping, is copied into a stack-allocated buffer without length validation.

When an attacker supplies an oversized callback value, the copy operation writes past the buffer boundary, corrupting adjacent stack data including saved return addresses. On MIPS-based Tenda firmware, this corruption is commonly leveraged to redirect control flow and achieve arbitrary code execution within the context of the web management process, which typically runs with elevated privileges on the embedded device.

Root Cause

The root cause is missing bounds checking when copying user-controlled input from the callback HTTP parameter into a fixed-size stack buffer inside sub_45304. The function assumes the input length fits within the destination buffer rather than enforcing a maximum copy size.

Attack Vector

The attack is remote and requires only network reachability to the router's web management interface. According to the CVSS vector, the attacker needs low-level authentication on the device. A crafted HTTP request to /goform/getRebootStatus with an oversized callback query string parameter triggers the overflow. A public exploit referenced in the GitHub PoC Report demonstrates the technique.

// No verified exploit code is reproduced here.
// See the public PoC for technical details:
// https://github.com/Robots10/IoT_vlu/blob/main/reports/Tenda/getRebootStatus/getRebootStatus.md

Detection Methods for CVE-2026-11528

Indicators of Compromise

• HTTP requests to /goform/getRebootStatus containing unusually long callback query parameter values
• Unexpected reboots or crashes of the Tenda AC18 web management process (httpd)
• Outbound connections originating from the router to unknown infrastructure following web interface access
• New or modified firmware configuration entries appearing without administrator action

Detection Strategies

• Inspect web server and router logs for requests to /goform/getRebootStatus where the callback parameter exceeds typical lengths, for example more than 256 bytes
• Deploy network intrusion detection signatures that flag oversized query parameters targeting Tenda /goform/ endpoints
• Monitor for HTTP requests to the router management interface originating from outside the management VLAN or the wide area network

Monitoring Recommendations

• Forward router syslog data to a centralized logging platform to correlate access attempts with management interface activity
• Alert on repeated HTTP 5xx responses from the web management interface, which can indicate exploitation attempts that crash the handler
• Track firmware versions across the device fleet to identify Tenda AC18 units still running the vulnerable 15.03.05.05 build

How to Mitigate CVE-2026-11528

Immediate Actions Required

• Restrict access to the router's web management interface so that it is reachable only from trusted internal hosts, never from the WAN
• Disable remote management features on affected Tenda AC18 devices until a vendor patch is applied
• Change default and reused administrator credentials, since the attack requires low-privilege authentication
• Inventory all Tenda AC18 devices running firmware 15.03.05.05 and prioritize them for remediation

Patch Information

At the time of publication, no vendor-supplied firmware update addressing CVE-2026-11528 has been referenced in the available data. Administrators should monitor the Tenda Official Website for updated firmware and consult the VulDB Vulnerability Details entry for tracking remediation status.

Workarounds

• Place affected routers behind a firewall that blocks inbound HTTP and HTTPS access to the management interface from untrusted networks
• Segment the management interface onto a dedicated VLAN accessible only to authorized administrators
• Replace end-of-life or unpatched Tenda AC18 devices with supported hardware where vendor patches are not forthcoming

# Example iptables rule to restrict access to the router management interface
# Allow only the management subnet 192.168.10.0/24 to reach the router web UI
iptables -A INPUT -p tcp --dport 80 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP