How is CVE-2026-11498 exploited?

Network reachability (required): The attacker must be able to reach the device's web management interface over the network; no physical or local access is required. Authentication (required): A low-privilege account on the web management interface is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends a crafted HTTP request directly to the vulnerable endpoint. Attack complexity (info): Attack complexity is low, meaning the overflow is reliably triggered without race conditions or special environmental prerequisites.

What is the impact of CVE-2026-11498?

Reads sensitive data stored or processed by the device, including VoIP configuration, credentials, and any data accessible to the management process. Writes arbitrary data to the stack, enabling an attacker to overwrite return addresses and redirect execution to attacker-controlled code. Crashes the affected web management service or the entire device, causing a denial of service and loss of network management access. Remote code execution on the router gives the attacker a persistent foothold on the network edge, allowing traffic inspection or lateral movement to connected segments.

Back to search

HIGHCVE-2026-11498Published 2026-06-08Modified 2026-06-08CNA VulDB

CVE-2026-11498: Tenda HG7HG9/HG10 Web Management voip_other_set asp_voip_OtherSet stack-based overflow

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the web management interface of Tenda HG7HG9 and HG10 routers running firmware version 300001138_en_xpon. The vulnerability is reachable over the network by an attacker with a low-privilege account, requiring no victim interaction; it resides in the asp_voip_OtherSet function at /boaform/voip_other_set when the funckey_transfer argument is manipulated with oversized input. Successful exploitation gives an attacker full read, write, and crash capability over the affected device. No upstream fix has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-11498 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including VulDB within minutes of publication and matched against customer images and firmware-derived containers in connected registries and CI pipelines, including custom-built images that bundle Tenda firmware components.

Available

Triage

HarborGuard can score matched findings at CVSS 8.7 High (v4.0) and apply per-environment compliance policy weighting to determine urgency, routing alerts to the appropriate team inbox within each customer organization based on configured severity thresholds and asset criticality.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, the finding remains open and visible in each affected environment's vulnerability queue for manual compensating-control action.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the device's web management interface over the network; no physical or local access is required.
AuthenticationRequired
A low-privilege account on the web management interface is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends a crafted HTTP request directly to the vulnerable endpoint.
Attack complexityDetail
Attack complexity is low, meaning the overflow is reliably triggered without race conditions or special environmental prerequisites.

Blast Radius

Reads sensitive data stored or processed by the device, including VoIP configuration, credentials, and any data accessible to the management process.
Writes arbitrary data to the stack, enabling an attacker to overwrite return addresses and redirect execution to attacker-controlled code.
Crashes the affected web management service or the entire device, causing a denial of service and loss of network management access.
Remote code execution on the router gives the attacker a persistent foothold on the network edge, allowing traffic inspection or lateral movement to connected segments.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-11498, the CVE remains an open tracked advisory in every environment where affected Tenda firmware images are detected. Customers are advised to apply compensating controls while waiting for an upstream fix: restrict access to the web management interface using network policy rules that limit inbound connections to trusted management hosts only; apply egress filtering on the management VLAN to reduce the value of a compromised device as a pivot point; and consider disabling the VoIP other-set endpoint via a feature-flag or ACL if the functionality is not in active use. HarborGuard will re-check the advisory each ingest cycle and, the moment an upstream fix version is published, a patched-image rebuild will become available automatically. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads with no manual intervention required.

See how HarborGuard automates this

Affected packages

Tenda / HG7HG9
300001138_en_xpon
Tenda / HG10
300001138_en_xpon

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X

References

Metrics

Get notified