CVE-2026-51846 Overview
CVE-2026-51846 is a stack-based buffer overflow [CWE-121] affecting Tenda AC7 routers running firmware version v15.03.06.44. The flaw resides in the wanSpeed parameter handling within the /goform/AdvSetMacMtuWan HTTP endpoint. Unauthenticated attackers can send a crafted request over the network to corrupt the stack and achieve remote arbitrary code execution. Successful exploitation grants attacker control over the affected device, enabling persistence on the network perimeter.
Critical Impact
Remote unauthenticated attackers can execute arbitrary code on affected Tenda AC7 routers by sending crafted HTTP requests to the /goform/AdvSetMacMtuWan endpoint.
Affected Products
- Tenda AC7 router firmware version v15.03.06.44
- The vulnerable HTTP handler /goform/AdvSetMacMtuWan
- The wanSpeed request parameter processed by that handler
Discovery Timeline
- 2026-06-19 - CVE-2026-51846 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-51846
Vulnerability Analysis
The Tenda AC7 web management interface exposes the /goform/AdvSetMacMtuWan route to configure WAN MAC, MTU, and link speed settings. The handler reads the wanSpeed parameter from incoming HTTP requests and copies it into a fixed-size stack buffer without validating the input length. Supplying an oversized value overflows the buffer and overwrites adjacent stack memory, including the saved return address.
Because the affected binary runs with elevated privileges on the router and lacks modern memory protections common on consumer embedded devices, an attacker can pivot the corruption into reliable code execution. The vulnerability is exploitable without authentication and without user interaction, making any internet-exposed AC7 management interface a direct target. Botnet operators routinely weaponize these classes of Tenda flaws to expand IoT-based DDoS infrastructure.
Root Cause
The root cause is missing bounds checking on the wanSpeed HTTP parameter prior to a stack copy operation, classified under [CWE-121] Stack-based Buffer Overflow. The handler trusts client-supplied length values rather than enforcing a server-side maximum.
Attack Vector
The attack vector is network-based against the router's HTTP administration interface. An attacker sends a POST request to /goform/AdvSetMacMtuWan with an oversized wanSpeed value. No credentials or user interaction are required. See the KDev CVE Request 005 advisory for proof-of-concept details.
No verified exploit code is published in the enriched data. The vulnerability mechanism follows the standard pattern of unchecked strcpy-style copies in Tenda httpd form handlers documented in prior research.
Detection Methods for CVE-2026-51846
Indicators of Compromise
- HTTP POST requests to /goform/AdvSetMacMtuWan containing abnormally long wanSpeed parameter values, typically exceeding 64 bytes.
- Unexpected reboots, crashes, or httpd process restarts on Tenda AC7 devices following inbound web requests.
- Outbound connections from the router to unfamiliar IPs, indicating possible implant or botnet enrollment after exploitation.
Detection Strategies
- Inspect HTTP request logs from the router or upstream gateways for requests targeting /goform/AdvSetMacMtuWan with non-standard parameter sizes.
- Deploy network IDS signatures that flag oversized wanSpeed POST bodies against the AC7 management interface.
- Correlate router crash events with preceding inbound HTTP traffic to identify exploitation attempts.
Monitoring Recommendations
- Monitor administrative interfaces of consumer-grade routers for any exposure to untrusted networks or the public internet.
- Track firmware versions across Tenda AC7 deployments and alert on devices running v15.03.06.44 or earlier.
- Watch for anomalous DNS lookups or scanning behavior originating from router IP addresses, which often indicate post-compromise activity.
How to Mitigate CVE-2026-51846
Immediate Actions Required
- Restrict access to the router web management interface to trusted internal hosts only and disable remote WAN-side administration.
- Place affected Tenda AC7 devices behind a network segment that blocks untrusted HTTP traffic to /goform/ endpoints.
- Replace internet-exposed AC7 devices with patched or alternative hardware where no vendor fix is available.
Patch Information
No vendor patch is referenced in the enriched CVE data. Consult the KDev CVE Request 005 advisory and the Tenda support portal for any subsequent firmware update addressing the wanSpeed parameter handling.
Workarounds
- Disable remote management on the WAN interface through the router admin panel.
- Apply firewall rules upstream of the router to drop external HTTP and HTTPS traffic destined for the management interface.
- Change default administrative credentials and isolate the router on a dedicated management VLAN to limit lateral exposure.
# Example upstream firewall rule blocking external access to the router admin interface
iptables -A FORWARD -p tcp -d <router-ip> --dport 80 -i <wan-interface> -j DROP
iptables -A FORWARD -p tcp -d <router-ip> --dport 443 -i <wan-interface> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

