External risk intelligence

Tenda AC7 Stack Buffer Overflow Allows Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-51846

The vulnerability exists in a WAN-facing component of a Tenda router. As a consumer internet gateway device, the WAN interface is designed to be directly exposed to the public internet to facilitate connectivity, making this service or its management interfaces commonly reachable from the internet in standard deployments.

Buffer Overflow

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability found in Tenda router firmware, specifically involving a buffer overflow that could allow remote code execution. The affected component is accessible from the internet, increasing the potential for exploitation. Given the nature of the device, understanding if this technology is in use and confirming exposure is the primary concern for leadership.

  • Issue: Router firmware allows remote code execution.
  • Why remember: WAN-facing devices are internet-accessible.
  • Executive takeaway: Confirm relevance and exposure of devices.

Attack Path

How an attacker could exploit the issue

An attacker can exploit a stack buffer overflow in the wanSpeed parameter of the Tenda AC7 router's AdvSetMacMtuWan interface. This interface is exposed to the internet, allowing an unauthenticated attacker to send specially crafted network traffic to trigger the vulnerability. Successful exploitation could lead to remote arbitrary code execution on the router.

  • Entry condition: Unauthenticated network access.
  • Trigger point: Specially crafted network traffic.
  • Resulting risk: Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A stack buffer overflow in the `wanSpeed` parameter of the router's web interface could allow an unauthenticated attacker to execute arbitrary code remotely. This could affect the router's core functionality and potentially allow an attacker to compromise the device.

  • Router functionality and integrity.
  • Remote code execution.
  • Device compromise and disruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides in a WAN-facing component of Tenda routers, meaning the affected technology is likely managed by network or infrastructure teams. The first practical step is to identify all deployed Tenda AC7 devices, confirm their reachability from the internet, and determine their criticality to business operations to prioritize remediation efforts.

  • Network or infrastructure teams own this issue.
  • Verify device reachability and business criticality.
  • Plan remediation during a maintenance window.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Tenda AC7 router and why does it have firmware?

The Tenda AC7 is a consumer networking device designed to manage home or small office internet connectivity. Like most routers, it runs firmware—a specialized operating system—to control hardware functions, route network traffic, and manage interfaces that let users configure settings like speed or security.

What is a stack buffer overflow as mentioned in CVE-2026-51846?

A stack buffer overflow is a memory safety issue (CWE-121) where a program writes more data to a memory area than it is designed to hold. In this specific case, the device fails to properly check the size of information provided to the wanSpeed parameter, allowing that extra data to overwrite adjacent memory, which can eventually lead to unauthorized command execution.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specially crafted network requests to the router's management interface. Because the vulnerability exists within the processing logic for the wanSpeed parameter, the bug is only triggered when the device receives this specific malicious input. Standard network traffic that stays within normal operating parameters does not trigger the overflow.

Is my device at risk according to Halo Surface Signal?

Halo Surface Signal identifies this as a high-priority concern because the affected component is on the WAN-facing interface. Since routers are fundamentally designed to bridge your local network with the public internet, this specific interface is often directly reachable from outside your network, increasing the potential for external interaction.

What should I do if I am running a Tenda AC7?

Your first step is to locate all Tenda AC7 units within your environment and document their role in your network. Once identified, confirm whether these devices are reachable from the internet. Prioritize these devices for updates or isolation during a scheduled maintenance window to protect the integrity of your network infrastructure.

References