How is CVE-2026-10191 exploited?

Network reachability (required): The attacker must reach the device's HTTP service over the network; no local access or physical proximity is needed. Authentication (required): A low-privilege account is sufficient; any valid login credential on the device satisfies this requirement. Victim interaction (not-required): No action from a logged-in user or any other person is needed to trigger the overflow. Attack complexity (info): Exploit reliability is high: no race conditions, memory-layout guessing, or special environmental factors are required.

What is the impact of CVE-2026-10191?

The attacker achieves arbitrary code execution on the router, gaining full control over the device. All data passing through or stored on the device, including Wi-Fi credentials and connected-client records, is readable by the attacker. The attacker can modify router configuration, including MAC filter rules, DNS settings, and routing tables. The httpd process and broader device operation can be crashed or held in an attacker-controlled state, disrupting network service for all connected clients.

Back to search

HIGHCVE-2026-10191Published 2026-05-31Modified 2026-05-31CNA VulDB

CVE-2026-10191: Tenda W12 httpd cgiWifiMacFilterSet stack-based overflow

A vulnerability was determined in Tenda W12 3.0.0.7(4763). Impacted is the function cgiWifiMacFilterSet of the file /bin/httpd. This manipulation of the argument wifiMacFilterSet.macList.mac causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow affects the Tenda W12 router firmware (version 3.0.0.7(4763)) in the cgiWifiMacFilterSet function of the httpd binary. The vulnerability is reachable over the network with a low-privilege account and requires no user interaction; an attacker supplies an oversized value in the wifiMacFilterSet.macList.mac argument to overflow a stack buffer. Successful exploitation gives the attacker full read, write, and execution control over the affected device. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Tenda W12 firmware or the affected httpd binary.

Available

Triage

HarborGuard scores this issue at CVSS 8.7 (HIGH) and surfaces it with that severity in each customer environment; per-environment compliance policy weighting can escalate or suppress the priority, and the finding is routed to the inbox configured for the affected workload owner.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's HTTP service over the network; no local access or physical proximity is needed.
AuthenticationRequired
A low-privilege account is sufficient; any valid login credential on the device satisfies this requirement.
Victim interactionNot required
No action from a logged-in user or any other person is needed to trigger the overflow.
Attack complexityDetail
Exploit reliability is high: no race conditions, memory-layout guessing, or special environmental factors are required.

Blast Radius

The attacker achieves arbitrary code execution on the router, gaining full control over the device.
All data passing through or stored on the device, including Wi-Fi credentials and connected-client records, is readable by the attacker.
The attacker can modify router configuration, including MAC filter rules, DNS settings, and routing tables.
The httpd process and broader device operation can be crashed or held in an attacker-controlled state, disrupting network service for all connected clients.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-10191 is active and matched against any image containing the affected Tenda W12 httpd binary. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. In the interim, compensating controls worth considering include network-policy isolation (restricting access to the router management interface to trusted source IPs only), egress filtering to limit what a compromised device can reach, and disabling remote management features where the firmware permits. For customers who opt into auto-remediation, the full rebuild, regression-test run, and PR-open flow will execute without manual intervention once an upstream fix is available.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Tenda / W12
3.0.0.7(4763)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References