Tenda FH451
CVE-2026-36785
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the page parameter of the fromDhcpListClient function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
AnalysisAI
Denial of service in Tenda FH451 V1.0.0.9 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the page parameter handler of the fromDhcpListClient function. EPSS exploitation probability is very low (0.01%, 3rd percentile) and no public exploit identified at time of analysis, though proof-of-concept artifacts appear to be hosted in a public GitHub research repository. The flaw is not listed in CISA KEV.
Technical ContextAI
The vulnerability lives in the web management interface of the Tenda FH451, a SOHO-class enterprise/SMB router from Shenzhen Tenda Technology. The fromDhcpListClient function is one of the handlers in the device's embedded HTTP server (typically the httpd/goahead-derived binary common to Tenda firmware) that processes administrative pages such as the DHCP client list. CWE-121 (Stack-based Buffer Overflow) indicates that the page parameter received via HTTP is copied into a fixed-size stack buffer without proper length validation, corrupting the stack frame and crashing the binary. Because consumer/SMB router firmware typically lacks modern mitigations (ASLR, stack canaries are inconsistently applied on MIPS/ARM embedded targets), stack overflows in Tenda devices have historically been escalatable beyond DoS, although this specific CVE is scored only for availability impact.
RemediationAI
No vendor-released patch identified at time of analysis; Tenda has not published an advisory in the supplied references. Until a firmware update for the FH451 is released, restrict access to the router's web management interface by disabling remote/WAN management entirely and limiting LAN-side access to a dedicated management VLAN or specific admin IP addresses via ACLs - this directly removes the network reachability required by the AV:N vector at the cost of administrator convenience. Monitor the Tenda support portal (https://www.tendacn.com) for an FH451 firmware release superseding V1.0.0.9, and consult the researcher repository at https://github.com/xhh0124/SemVulLLM/tree/main/FH451/fromDhcpListClient_0 for additional technical detail. For high-exposure deployments, consider replacing end-of-support consumer-grade hardware with devices that receive regular security maintenance, since Tenda SMB routers have a long history of similar unpatched buffer overflows.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today