A critical stack-based buffer overflow in the formDOMAINBLK handler of Tenda HG7, HG9, and HG10 XPON routers allows unauthenticated remote attackers to corrupt memory by manipulating the blkDomain argument.
What Is It
CVE-2026-11499 is a stack-based buffer overflow (CWE-121, CWE-119) affecting the formDOMAINBLK function in /boaform/formDOMAINBLK on Tenda HG7, HG9, and HG10 devices running firmware 300001138_en_xpon. According to the NVD record, manipulation of the blkDomain argument triggers the overflow, and the attack can be performed remotely without authentication or user interaction.
The flaw carries a CVSS v3.1 base score of 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 9.3 (CRITICAL). Legacy CVSS v2.0 rates it a perfect 10.0.
Why It Matters
The bug is reachable over the network with no privileges and no user interaction, and it impacts confidentiality, integrity, and availability at the highest level. Stack-based buffer overflows in embedded web handlers like boaform have historically been weaponized into reliable remote code execution against consumer and SOHO routers. Any device exposing the affected /boaform/formDOMAINBLK endpoint to an untrusted network is at risk of full compromise.
This CVE is not currently listed in the CISA KEV catalog, so active in-the-wild exploitation has not been confirmed by CISA at the time of writing.
What's Vulnerable
- Vendor: Tenda
- Models: HG7, HG9, HG10 (XPON series)
- Firmware:
300001138_en_xpon - Vulnerable component:
formDOMAINBLKfunction in/boaform/formDOMAINBLK - Vulnerable parameter:
blkDomain
Patch Status
The supplied NVD record does not list a vendor advisory, fixed firmware version, or patch. No CISA KEV required-action guidance is available because the CVE is not in the catalog. Until Tenda publishes a fix, operators should restrict remote access to the device web interface and avoid exposing the boaform endpoints to the internet.