How is CVE-2026-10188 exploited?

Network reachability (required): The vulnerable httpd service is exposed over the network, and the attacker must be able to reach it remotely to deliver the malicious staMac argument. Authentication (required): The CVSS vector specifies PR:L, meaning any low-privilege account on the device is sufficient to trigger the vulnerable code path; no admin access is needed. Victim interaction (not-required): The attack is fully attacker-driven and requires no action from a logged-in user or administrator on the target device. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free, with no race conditions or special environmental state required to trigger the overflow.

What is the impact of CVE-2026-10188?

Attacker reads memory contents of the httpd process, which may include session tokens, credentials, or configuration data stored in the running process. Attacker writes arbitrary data into the stack, overwriting return addresses and enabling execution of attacker-controlled code within the httpd process context. The affected httpd service crashes if the overflow is used for disruption rather than code execution, taking down web-based device management until the service restarts. Impact is contained to the device itself (SC:N, SI:N, SA:N), meaning lateral scope to other network systems requires additional attacker steps beyond this vulnerability alone.

Back to search

HIGHCVE-2026-10188Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10188: Tenda W12 httpd cgistaKickOff stack-based overflow

A flaw has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the cgistaKickOff function of the httpd binary on Tenda W12 firmware version 3.0.0.7(4763). An attacker with low-privilege network access can send a crafted staMac argument to trigger the overflow, requiring no victim interaction. Successful exploitation gives the attacker full read and write access to memory and can crash or take control of the affected service, enabling remote code execution. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-10188 is available across every HarborGuard environment - the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against all customer images, including custom-built images derived from Tenda W12 firmware layers. Any image carrying the affected httpd binary at version 3.0.0.7(4763) is flagged automatically.

Available

Triage

HarborGuard scores this issue at CVSS 8.7 (HIGH, CVSS v4.0) and is capable of weighting that score against each customer environment's compliance policy to prioritize routing. Teams with network-exposed router or embedded-device images receive the finding in their configured inbox according to their org's severity thresholds.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Tenda publishes a corrected firmware version. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable httpd service is exposed over the network, and the attacker must be able to reach it remotely to deliver the malicious staMac argument.
AuthenticationRequired
The CVSS vector specifies PR:L, meaning any low-privilege account on the device is sufficient to trigger the vulnerable code path; no admin access is needed.
Victim interactionNot required
The attack is fully attacker-driven and requires no action from a logged-in user or administrator on the target device.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free, with no race conditions or special environmental state required to trigger the overflow.

Blast Radius

Attacker reads memory contents of the httpd process, which may include session tokens, credentials, or configuration data stored in the running process.
Attacker writes arbitrary data into the stack, overwriting return addresses and enabling execution of attacker-controlled code within the httpd process context.
The affected httpd service crashes if the overflow is used for disruption rather than code execution, taking down web-based device management until the service restarts.
Impact is contained to the device itself (SC:N, SI:N, SA:N), meaning lateral scope to other network systems requires additional attacker steps beyond this vulnerability alone.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10188 is active and matched against every customer image on each scan cycle. Because no upstream fix has been published, patched-image rebuild is not yet available. In the interim, HarborGuard recommends customers apply network-policy isolation to restrict access to the httpd management interface to trusted management VLANs or IP ranges only, reducing the network-reachability requirement. Egress filtering on devices running the affected firmware can further limit the utility of any remote code execution. HarborGuard will re-evaluate this CVE on every advisory ingest cycle; once Tenda publishes a corrected firmware version, a patched-image rebuild will become available automatically, and customers with auto-remediation enabled will receive a rebuild, regression run, and a PR opened against affected workloads. For high-severity issues, the median time from upstream fix publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Tenda / W12
3.0.0.7(4763)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References