Skip to main content

Tenda CP3 CVE-2026-51601

| EUVDEUVD-2026-42644 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-07-09 cve@mitre.org GHSA-pgqw-x8wr-7q7m
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated (PR:N) RTSP request of low complexity; impact limited to a service crash, so C:N/I:N and A:H only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 10, 2026 - 18:29 vuln.today
CVSS changed
Jul 10, 2026 - 18:22 NVD
7.5 (HIGH)
CVE Published
Jul 09, 2026 - 17:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Tenda CP3 V3.0 firmware V31.1.9.91 contains a stack-based buffer overflow in the RTSP service. The device fails to validate the length of the clock= value in the Range header field when processing a PLAY request. An unauthenticated remote attacker who has completed a standard RTSP session handshake can send a PLAY request with an excessively long clock= value to cause the RTSP service to crash.

AnalysisAI

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach camera RTSP port 554
Delivery
Complete standard RTSP handshake
Exploit
Send PLAY with over-long clock= value
Execution
Overflow stack buffer in Range parser
Impact
Crash RTSP service (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Tenda CP3 RTSP service (typically TCP/554) and completion of a standard RTSP session handshake before sending the malicious PLAY request; no credentials are needed (CVSS PR:N, unauthenticated). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the camera's RTSP port (e.g., a device exposed to the internet or reachable from a compromised LAN host) completes a normal RTSP handshake and issues a PLAY request whose Range header contains a very long clock= value. The oversized value overflows a stack buffer in the RTSP parser and crashes the service, cutting off the camera's video stream; a public GitHub write-up describes the reproduction, so replication is low-effort for a network-adjacent attacker.
Remediation No vendor-released patch is identified at time of analysis - the only references are the NVD entry and a GitHub research report, with no Tenda firmware fix version cited, so an exact upgrade target cannot be given. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Tenda CP3 V3.0 devices running firmware V31.1.9.91. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tenda

View all
CVE-2022-30023 HIGH POC
8.8 Jun 16

Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function. Rated high sev

CVE-2015-5995 CRITICAL POC
9.8 Dec 31

Mediabridge Medialink MWN-WAPR300N devices with firmware 5.07.50 and Tenda N3 Wireless N150 devices allow remote attacke

CVE-2014-5246 CRITICAL POC
10.0 Aug 22

The Shenzhen Tenda Technology Tenda A5s router with firmware 3.02.05_CN allows remote attackers to bypass authentication

CVE-2025-45042 CRITICAL POC
9.8 May 05

Tenda AC9 v15.03.05.14 was discovered to contain a command injection vulnerability via the Telnet function. Rated critic

CVE-2025-29384 CRITICAL POC
9.8 Mar 14

In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability

CVE-2025-44877 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formSetSambaConf function via

CVE-2025-44872 CRITICAL POC
9.8 May 02

Tenda AC9 V15.03.06.42_multi was found to contain a command injection vulnerability in the formsetUsbUnload function via

CVE-2022-32386 CRITICAL POC
9.8 Jul 06

Tenda AC23 v16.03.07.44 was discovered to contain a buffer overflow via fromAdvSetMacMtuWan. Rated critical severity (CV

CVE-2025-25632 CRITICAL POC
9.8 Mar 05

Tenda AC15 v15.03.05.19 is vulnerable to Command Injection via the handler function in /goform/telnet. Rated critical se

CVE-2023-51972 CRITICAL POC
9.8 Jan 10

Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. Rate

CVE-2023-51812 CRITICAL POC
9.8 Jan 04

Tenda AX3 v16.03.12.11 was discovered to contain a remote code execution (RCE) vulnerability via the list parameter at /

CVE-2025-45429 CRITICAL POC
9.8 Apr 23

In the Tenda ac9 v1.0 router with firmware V15.03.05.14_multi, there is a stack overflow vulnerability in /goform/WifiWp

Share

CVE-2026-51601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy