CVE-2026-51843 Overview
CVE-2026-51843 is a stack-based buffer overflow vulnerability affecting the Tenda AC7 router running firmware version v15.03.06.44. The flaw resides in the /goform/AdvSetMacMtuWan interface and is triggered through the wanMTU parameter. An unauthenticated attacker on the network can submit a crafted HTTP request that overflows a fixed-size stack buffer, corrupting adjacent memory and control flow data. The vulnerability is classified under [CWE-121: Stack-based Buffer Overflow] and can result in arbitrary code execution or denial of service on the affected device.
Critical Impact
Network-adjacent attackers can exploit the wanMTU parameter without authentication to execute code or crash the router, with full compromise of confidentiality, integrity, and availability.
Affected Products
- Tenda AC7 router, firmware version v15.03.06.44
- Web management interface endpoint /goform/AdvSetMacMtuWan
- wanMTU parameter handler within the device HTTP daemon
Discovery Timeline
- 2026-06-19 - CVE-2026-51843 published to the National Vulnerability Database (NVD)
- 2026-06-22 - Last updated in the NVD database
Technical Details for CVE-2026-51843
Vulnerability Analysis
The vulnerability exists in the request handler for /goform/AdvSetMacMtuWan on the Tenda AC7. The handler reads the wanMTU parameter from an attacker-supplied HTTP request and copies it into a fixed-size stack buffer without enforcing a length check. Submitting an oversized value overwrites the saved return address and adjacent stack data.
Because the affected binary runs as a privileged process on the router, successful exploitation yields full control of the device. The EPSS probability is 0.363% at the time of publication, indicating limited observed exploitation activity. Additional analysis is available in the KDEV CVE Request Analysis.
Root Cause
The root cause is missing input length validation on the wanMTU HTTP parameter before it is copied into a stack buffer. The handler uses an unbounded copy operation, allowing the attacker-controlled string to extend past the buffer boundary. This pattern matches [CWE-121] stack-based buffer overflows commonly seen in embedded MIPS web management daemons.
Attack Vector
Exploitation occurs over the network against the router's HTTP management interface. The attacker sends a POST request to /goform/AdvSetMacMtuWan containing an oversized wanMTU value. No authentication or user interaction is required when the management interface is exposed to the attacker's network segment. A successful payload can divert execution to attacker-controlled shellcode, while a malformed payload causes a process crash and reboots the router.
No public proof-of-concept code has been verified in the enriched data. Refer to the KDEV CVE Request Analysis for technical details of the parameter handling.
Detection Methods for CVE-2026-51843
Indicators of Compromise
- HTTP POST requests to /goform/AdvSetMacMtuWan containing abnormally long wanMTU values, often exceeding 64 bytes.
- Unexpected reboots or web service crashes on Tenda AC7 devices following inbound HTTP traffic.
- Outbound connections from the router to unfamiliar IP addresses after suspicious management-interface activity.
Detection Strategies
- Inspect HTTP traffic to Tenda management interfaces for requests targeting /goform/AdvSetMacMtuWan with non-numeric or oversized wanMTU parameters.
- Deploy IDS or IPS signatures that flag wanMTU values exceeding the documented maximum MTU range (typically 576–1500).
- Correlate router crash and reboot events with preceding inbound HTTP requests to identify exploitation attempts.
Monitoring Recommendations
- Forward router syslog and HTTP access logs to a centralized analytics platform for correlation.
- Monitor for repeated POST requests to /goform/ endpoints from a single source within a short time window.
- Alert on management-interface access originating from untrusted network segments or external IP ranges.
How to Mitigate CVE-2026-51843
Immediate Actions Required
- Restrict access to the Tenda AC7 web management interface to trusted internal hosts using firewall ACLs.
- Disable remote (WAN-side) administration on the router until a vendor patch is applied.
- Change default administrative credentials and isolate vulnerable routers on dedicated VLANs.
Patch Information
No vendor patch URL is referenced in the enriched data at the time of publication. Monitor the KDEV CVE Request Analysis and Tenda support channels for firmware updates addressing the wanMTU parameter handler in /goform/AdvSetMacMtuWan.
Workarounds
- Block inbound TCP traffic to the router's HTTP management port from untrusted networks at the perimeter firewall.
- Apply web application firewall (WAF) rules that drop requests to /goform/AdvSetMacMtuWan containing wanMTU values longer than 8 characters or outside the valid MTU numeric range.
- Replace end-of-life or unpatched Tenda AC7 units with supported hardware where vendor firmware updates are unavailable.
# Example iptables rule restricting management interface access to a trusted subnet
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

