CVE-2026-11499: Tenda HG7HG9/HG10 formDOMAINBLK stack-based overflow
A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-based buffer overflow. The attack may be performed from remote.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A stack-based buffer overflow affects the formDOMAINBLK function in Tenda HG7HG9, HG9, and HG10 routers running firmware version 300001138_en_xpon. The vulnerability is reachable over the network without any authentication, by sending a crafted value in the blkDomain argument to the /boaform/formDOMAINBLK endpoint. Successful exploitation gives an attacker full control over the device, including the ability to execute arbitrary code. No fix has been published; HarborGuard tracks this advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-11499 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including VulDB. Coverage extends to custom-built images that bundle or derive from affected Tenda firmware layers.
AvailableTriage is available using the CVSS v4.0 score of 9.3 (Critical), weighted against each customer organization's per-environment compliance policy to determine urgency and route findings to the appropriate team inbox.
AvailableBecause no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment Tenda releases a corrected firmware version. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to restrict access to the affected endpoint.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the device's web management interface over the network; the vulnerable endpoint is exposed via HTTP from a remote origin.
- AuthenticationNot required
No account or credential of any privilege level is needed to submit a request to the formDOMAINBLK endpoint.
- Victim interactionNot required
The attacker sends a crafted HTTP request directly to the device; no user action or interaction is required.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, memory-layout dependencies, or other environmental factors required.
Blast Radius
- Attacker executes arbitrary code on the router with the privilege level of the web server process, gaining a foothold on the device.
- Attacker reads stored configuration data including credentials, Wi-Fi passphrases, and network topology details.
- Attacker modifies device configuration, redirecting DNS, disabling firewall rules, or adding rogue administrative accounts.
- Attacker crashes or reboots the device, disrupting network connectivity for all downstream hosts.
How HarborGuard Handles This
Available on HarborGuard: detection for this Critical-severity CVE is active and matches against all scanned images on every ingest cycle. Because no upstream patch exists for CVE-2026-11499, HarborGuard monitors the Tenda advisory and the VulDB feed continuously, and a patched-image rebuild will become available automatically the moment a fix version is published. While no patch is available, customers can use HarborGuard's network-policy isolation capability to flag and restrict container workloads that bundle affected Tenda firmware, limiting exposure of the /boaform/formDOMAINBLK endpoint to trusted network segments only. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention once an upstream fix is confirmed.
- Tenda / HG7HG9300001138_en_xpon
- Tenda / HG10300001138_en_xpon
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X