CVE-2026-5152: Tenda CH22 Buffer Overflow Vulnerability

CVE-2026-5152 Overview

CVE-2026-5152 is a stack-based buffer overflow in the Tenda CH22 router running firmware version 1.0.0.1. The flaw resides in the formCreateFileName function exposed through the /goform/createFileName endpoint. An attacker who manipulates the fileNameMit argument can overflow the stack buffer and corrupt adjacent memory. The issue is reachable over the network and a public exploit has been disclosed. The vulnerability is tracked under [CWE-119] and [CWE-787], indicating improper restriction of operations within a memory buffer and out-of-bounds write conditions.

Critical Impact

Remote attackers with low privileges can trigger memory corruption in the Tenda CH22 web management interface, potentially leading to arbitrary code execution or denial of service on the affected device.

Affected Products

• Tenda CH22 hardware device
• Tenda CH22 firmware version 1.0.0.1
• /goform/createFileName web management endpoint

Discovery Timeline

• 2026-03-30 - CVE-2026-5152 published to NVD
• 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-5152

Vulnerability Analysis

The vulnerability exists in the formCreateFileName handler that processes HTTP requests directed at /goform/createFileName. The handler reads the fileNameMit parameter from the incoming request and copies it into a fixed-size stack buffer without enforcing length validation. When an attacker supplies a fileNameMit value longer than the destination buffer, the copy operation overwrites adjacent stack memory, including saved registers and the return address. This corruption can redirect control flow and result in arbitrary code execution on the MIPS or ARM-based router firmware.

The affected endpoint is part of the device's web administration interface, which is reachable over the local network and, in misconfigured deployments, the internet. The exploit code is reported as public, lowering the technical barrier for attackers seeking to weaponize the issue against exposed devices.

Root Cause

The root cause is the absence of bounds checking when handling the fileNameMit parameter inside formCreateFileName. The function relies on unsafe string copy semantics that trust attacker-controlled input length. This pattern is consistent with [CWE-119] improper buffer restriction and [CWE-787] out-of-bounds write classifications. Embedded web server binaries on consumer routers frequently lack stack canaries and address space layout randomization, which makes such overflows more readily exploitable.

Attack Vector

The attack vector is network-based. An attacker requires low-privilege authentication to the web interface, then issues a crafted HTTP POST request to /goform/createFileName containing an oversized fileNameMit parameter. Successful exploitation impacts confidentiality, integrity, and availability of the device. Detailed proof-of-concept material is documented in the GitHub Vulnerability Reference and VulDB #354184.

// No verified exploit code is reproduced here.
// Refer to the linked VulDB and GitHub references for technical details.

Detection Methods for CVE-2026-5152

Indicators of Compromise

• HTTP POST requests to /goform/createFileName containing abnormally long fileNameMit values, typically exceeding 100 bytes.
• Unexpected reboots, watchdog resets, or httpd process crashes on Tenda CH22 devices.
• Outbound connections from the router to unknown hosts following administrative interface activity.

Detection Strategies

• Inspect web server access logs for repeated requests to /goform/createFileName from a single source.
• Deploy network IDS signatures that flag HTTP request bodies containing oversized fileNameMit parameter values.
• Correlate router crash telemetry with preceding HTTP traffic to the management interface.

Monitoring Recommendations

• Centralize syslog output from Tenda CH22 devices and alert on httpd segmentation faults or restart events.
• Monitor for management interface exposure on WAN-facing interfaces using external attack surface tooling.
• Track authentication events on the device web UI to identify brute-force attempts that precede exploitation.

How to Mitigate CVE-2026-5152

Immediate Actions Required

• Restrict access to the Tenda CH22 web management interface to trusted management VLANs only.
• Disable remote WAN administration on affected devices until a vendor patch is available.
• Rotate administrative credentials to limit the impact of the low-privilege authentication requirement.
• Replace end-of-support or unpatched Tenda CH22 units in high-risk environments.

Patch Information

No vendor advisory or firmware patch has been published for CVE-2026-5152 at the time of NVD publication. Monitor the Tenda Website Overview and VulDB #354184 for updated remediation guidance and firmware releases.

Workarounds

• Place affected routers behind an upstream firewall that blocks inbound HTTP traffic to the management interface.
• Apply ACLs that permit web UI access only from designated administrator workstations.
• Segment IoT and consumer routers from production networks to contain post-exploitation movement.

# Example: restrict access to the router management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP