CVE-2026-11498 - Vulnerability Details

- Tenda HG7HG9/HG10 Web Management voip_other_set asp_voip_OtherSet stack-based overflow

Description

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely.

Published: 2026-06-08

Score: 8.7 High

EPSS: 3.8% Low

KEV: No

Impact:

Action:

Analysis

Impact

A stack‑based buffer overflow vulnerability is present in the Web Management Interface of Tenda HG7HG9 and HG10 routers. The flaw affects the asp_voip_OtherSet function exposed at /boaform/voip_other_set. By manipulating the funckey_transfer argument, an attacker can overflow the stack, potentially enabling arbitrary code execution with the privileges of the web service. The weakness conforms to CWE‑119 and CWE‑121.

Affected Systems

The affected devices are Tenda HG7HG9 and HG10 routers running firmware version 300001_en_xpon, distributed by Tenda. The vulnerability resides in the web interface component and is triggered by requests to the voip_other_set endpoint.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score of 4% suggests a moderate probability of exploitation in the wild. The flaw can be reached remotely via the router’s web management interface; the description does not specify that authentication is required, so the attack may be possible from any host that can connect to that service. The vulnerability is not currently listed in CISA’s KEV catalog, but its remote reach and high severity demand prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tenda

HG7HG9

affected

Version	Status	Constraints
`300001138_en_xpon`	affected	—

Tenda

HG10

affected

Version	Status	Constraints
`300001138_en_xpon`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

Hg10

100%

Version	Status	Scheme	Platform
`300001138_en_xpon`	affected	generic	—

Tenda

Hg7hg9

100%

Version	Status	Scheme	Platform
`300001138_en_xpon`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update released by Tenda that addresses the buffer overflow in the voip_other_set functionality.
If a patch is not yet available, block external access to the /boaform/voip_other_set URL or to the entire web management interface using firewall rules or access control lists to narrow the attack surface.
Restrict the web management interface to trusted IP addresses or a secured VPN, and disable remote management unless absolutely required.
Enable logging for HTTP requests and monitor the logs or deploy an intrusion detection system to alert on abnormal or repeated access attempts to the voip_other_set endpoint.

Generated by OpenCVE AI on June 24, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.03799.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/ssaaaa1234/tenda-hg10-voip-other-set-stack-overflow
https://vuldb.com/cve/CVE-2026-11498
https://vuldb.com/submit/834887
https://vuldb.com/vuln/369118
https://vuldb.com/vuln/369118/cti
https://www.tenda.com.cn/

History

Mon, 08 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely.
Title		Tenda HG7HG9/HG10 Web Management voip_other_set asp_voip_OtherSet stack-based overflow
First Time appeared		Tenda Tenda hg10 Tenda hg7hg9
Weaknesses		CWE-119 CWE-121
CPEs		cpe:2.3:h:tenda:hg10:::::::: cpe:2.3:h:tenda:hg7hg9::::::::
Vendors & Products		Tenda Tenda hg10 Tenda hg7hg9
References		https://github.com/ssaaaa1234/tenda-hg10-voip-other-set-stack-overflow https://vuldb.com/cve/CVE-2026-11498 https://vuldb.com/submit/834887 https://vuldb.com/vuln/369118 https://vuldb.com/vuln/369118/cti https://www.tenda.com.cn/
Metrics		cvssV2_0 `{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Tenda Hg10 Hg7hg9

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T06:45:21.289Z

Updated: 2026-06-08T16:22:24.244Z

Reserved: 2026-06-07T13:22:12.336Z

Link: CVE-2026-11498

Vulnrichment

Updated: 2026-06-08T12:47:44.844Z

NVD

Status : Deferred

Published: 2026-06-08T09:16:29.753

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11498

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses

CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-121
Stack-based Buffer Overflow

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object