CVE-2026-51845 Overview
CVE-2026-51845 is a stack-based buffer overflow vulnerability affecting the Tenda AC7 wireless router running firmware version v15.03.06.44. The flaw resides in the /goform/AdvSetMacMtuWan web interface endpoint and is triggered through the mac parameter. An unauthenticated remote attacker can send a crafted HTTP request to corrupt the stack and potentially execute arbitrary code on the device. The issue is classified under CWE-121: Stack-based Buffer Overflow.
Critical Impact
Remote attackers can exploit the mac parameter without authentication to achieve arbitrary code execution on affected Tenda AC7 routers, leading to full device compromise.
Affected Products
- Tenda AC7 router firmware version v15.03.06.44
- /goform/AdvSetMacMtuWan web management interface
- mac HTTP request parameter handler
Discovery Timeline
- 2026-06-19 - CVE-2026-51845 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-51845
Vulnerability Analysis
The vulnerability exists in the Tenda AC7 router's HTTP management server, specifically in the handler for the /goform/AdvSetMacMtuWan endpoint. This endpoint processes WAN configuration requests that include MAC address and MTU parameters. The mac parameter is copied into a fixed-size stack buffer without proper length validation. An attacker can submit an oversized string to overwrite saved return addresses and adjacent stack data.
Successful exploitation grants the attacker code execution in the context of the router's HTTP service, typically running with elevated privileges on the embedded Linux firmware. Because the AC7 lacks robust exploit mitigations common on desktop platforms, return-oriented programming techniques are well documented against similar Tenda models.
Root Cause
The root cause is missing input length validation on the mac parameter prior to a memory copy into a stack-allocated buffer. The handler trusts attacker-supplied HTTP form data and uses unsafe string operations that do not enforce destination buffer bounds. This pattern is consistent with prior Tenda goform vulnerabilities documented in public research.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker reachable on the router's HTTP management interface, including remote attackers when management is exposed to the WAN, can send a single crafted POST request to /goform/AdvSetMacMtuWan with an oversized mac value. Refer to the KDev CVE Request Analysis for technical specifics on the parameter handling and overflow trigger.
Detection Methods for CVE-2026-51845
Indicators of Compromise
- HTTP POST requests targeting /goform/AdvSetMacMtuWan with abnormally long mac parameter values
- Unexpected reboots or crashes of the router's HTTP management daemon
- Outbound connections from the router to unknown external hosts following management interface access
Detection Strategies
- Inspect HTTP traffic destined for the router's management interface and alert on requests to /goform/AdvSetMacMtuWan containing mac parameter values exceeding standard MAC address length (17 characters)
- Monitor for repeated malformed POST requests to goform endpoints from a single source
- Deploy network intrusion detection signatures that flag oversized form parameters in Tenda router HTTP traffic
Monitoring Recommendations
- Log all administrative access to router management interfaces and forward to a central SIEM for correlation
- Track baseline behavior of router HTTP services and alert on service restarts or unusual process spawning
- Monitor egress traffic from network infrastructure devices for connections to unexpected destinations
How to Mitigate CVE-2026-51845
Immediate Actions Required
- Disable remote WAN management on the Tenda AC7 to prevent unauthenticated internet-based exploitation
- Restrict LAN-side access to the router's management interface using network segmentation and access control lists
- Replace the Tenda AC7 with a supported device if the vendor does not publish a firmware update addressing this issue
Patch Information
No vendor patch has been referenced in the published advisory at the time of writing. Consult the KDev CVE Request Analysis and the Tenda support channels for any subsequent firmware releases that address the /goform/AdvSetMacMtuWan handler.
Workarounds
- Place the router management interface behind a dedicated management VLAN reachable only from trusted administrative hosts
- Block inbound traffic to TCP port 80 and 443 on the WAN interface using upstream firewall rules
- Disable the HTTP administration service when not actively configuring the device
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

