Executive Summary
A critical buffer overflow vulnerability (CVSS 9.8) has been disclosed in the Tenda AC10 v3 home router, affecting firmware version V03.03.16.09. Tracked as CVE-2026-51380, the flaw exists in the /cgi-bin/UploadCfg endpoint and can be triggered remotely by an unauthenticated attacker.
Successful exploitation can cause a permanent Denial of Service (DoS) — requiring physical power cycle to restore — or potentially enable remote code execution (RCE) on the device, granting full control over the router and any network traffic passing through it.
Technical Details
Vulnerability Description
The Tenda AC10 v3 firmware processes configuration file uploads through the /cgi-bin/UploadCfg CGI handler. This handler fails to properly validate the size or content of the supplied data before copying it into a fixed-size stack buffer. A carefully crafted oversized upload payload can overflow this buffer, overwriting adjacent stack memory.
Consequences of exploitation:
- DoS — Overwriting critical stack structures causes the CGI process (and the router's web management daemon) to crash. In the Tenda AC10 v3, this crash is unrecoverable without a physical power cycle, resulting in permanent service disruption.
- RCE — A precisely crafted payload can overwrite the function return address, redirecting execution flow to attacker-controlled shellcode or ROP gadgets loaded in memory. This grants the attacker root-level code execution on the router's MIPS/ARM processor.
Attack Vector
The /cgi-bin/UploadCfg endpoint is accessible from the router's LAN-side web interface and, in many home deployments, may be inadvertently exposed to the WAN through port forwarding rules or UPnP misconfigurations.
No authentication is required to trigger the overflow in the tested firmware version.
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Versions
| Product | Firmware Version | Status |
|---|---|---|
| Tenda AC10 v3 | V03.03.16.09 | Vulnerable |
Note: No firmware patch has been released by Tenda at the time of this advisory. Check the Tenda support page for updates.
Remediation
As of the publication date, no official patch is available from Tenda. Users should apply the following mitigations immediately:
Mitigations
- Disable remote management — Ensure the router's web management interface is not accessible from the WAN. Disable WAN-facing HTTP/HTTPS management in the router settings.
- Disable UPnP — Prevent automatic port forwarding rules from exposing the management interface externally.
- Restrict LAN access — If possible, limit access to the router's admin interface to specific trusted devices using IP-based ACLs or VLAN segmentation.
- Replace or retire the device — Given Tenda's history of slow or absent patching for end-of-life devices, users with critical network security requirements should consider replacing the AC10 v3 with a regularly updated device.
- Monitor for anomalous activity — If the router is suspected to have been compromised, treat all traffic it processed as potentially intercepted. Rotate credentials for services accessed through the network.
Context: IoT Router Vulnerabilities
Buffer overflow vulnerabilities in consumer routers remain among the most persistent and dangerous vulnerability classes in the IoT space. Devices like the Tenda AC10 are often deployed for years beyond their supported firmware lifecycle, leaving millions of home and small office networks exposed to vulnerabilities with no vendor remediation path.
The Tenda AC10 v3 has been the subject of multiple prior CVEs across its firmware versions, highlighting a systemic lack of memory-safe programming practices in its CGI handler codebase.