Vulnerability-Lookup

CNVD-2026-04543

Vulnerability from cnvd - Published: 2026-01-13

Title

Tenda AC23缓冲区溢出漏洞

Description

Tenda AC23是腾达公司推出的一款支持Wi-Fi 6标准的高速无线双频路由器。 Tenda AC23存在缓冲区溢出漏洞。该漏洞是由于/goform/PowerSaveSet功能在处理sscanf函数对输入参数Time的复制时，未对数据长度进行有效边界检查。攻击者可利用该漏洞通过发送超长且精心构造的Time参数数据触发缓冲区溢出，从而导致设备拒绝服务或执行任意代码。

Severity

高

Formal description

厂商尚未发布漏洞修复程序，请及时关注厂商官网更新: https://www.tenda.com.cn/product/help/AC23#download

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-0640

Impacted products

Name
Tenda AC23 16.03.07.52

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-0640",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-0640"
    }
  },
  "description": "Tenda AC23\u662f\u817e\u8fbe\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u652f\u6301Wi-Fi 6\u6807\u51c6\u7684\u9ad8\u901f\u65e0\u7ebf\u53cc\u9891\u8def\u7531\u5668\u3002\n\nTenda AC23\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e/goform/PowerSaveSet\u529f\u80fd\u5728\u5904\u7406sscanf\u51fd\u6570\u5bf9\u8f93\u5165\u53c2\u6570Time\u7684\u590d\u5236\u65f6\uff0c\u672a\u5bf9\u6570\u636e\u957f\u5ea6\u8fdb\u884c\u6709\u6548\u8fb9\u754c\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u53d1\u9001\u8d85\u957f\u4e14\u7cbe\u5fc3\u6784\u9020\u7684Time\u53c2\u6570\u6570\u636e\u89e6\u53d1\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u4ece\u800c\u5bfc\u81f4\u8bbe\u5907\u62d2\u7edd\u670d\u52a1\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u5382\u5546\u5b98\u7f51\u66f4\u65b0:\r\nhttps://www.tenda.com.cn/product/help/AC23#download",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-04543",
  "openTime": "2026-01-13",
  "products": {
    "product": "Tenda AC23 16.03.07.52"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-0640",
  "serverity": "\u9ad8",
  "submitTime": "2026-01-09",
  "title": "Tenda AC23\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2026-0640 (GCVE-0-2026-0640)

Vulnerability from cvelistv5 – Published: 2026-01-06 15:32 – Updated: 2026-01-06 18:10

Title

Tenda AC23 PowerSaveSet sscanf buffer overflow

Summary

A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

8.8 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R

CWE

CWE-120 - Buffer Overflow
CWE-119 - Memory Corruption

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.339683	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.339683	signaturepermissions-required
	https://vuldb.com/?submit.731772	third-party-advisory
	https://github.com/xyh4ck/iot_poc/blob/main/Tenda…	exploit
	https://github.com/xyh4ck/iot_poc/blob/main/Tenda…	exploit
	https://www.tenda.com.cn/	product

Impacted products

	Vendor	Product	Version
	Tenda	AC23	Affected: 16.03.07.52

Credits

xuanyu (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0640",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-06T18:08:33.402004Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-06T18:10:01.723Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AC23",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "16.03.07.52"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "xuanyu (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-06T15:32:08.760Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-339683 | Tenda AC23 PowerSaveSet sscanf buffer overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.339683"
        },
        {
          "name": "VDB-339683 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.339683"
        },
        {
          "name": "Submit #731772 | Tenda AC23 V16.03.07.52 Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.731772"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow/Tenda%20AC23_Buffer_Overflow.md#poc"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.tenda.com.cn/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-06T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-01-06T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-01-06T10:12:20.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda AC23 PowerSaveSet sscanf buffer overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-0640",
    "datePublished": "2026-01-06T15:32:08.760Z",
    "dateReserved": "2026-01-06T09:07:14.569Z",
    "dateUpdated": "2026-01-06T18:10:01.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-04543

CVE-2026-0640 (GCVE-0-2026-0640)

Tags

Sightings

Nomenclature