CVE-2026-51601

Tenda · CP3 V3.0

A stack-based buffer overflow in the Tenda CP3 V3.0 RTSP service allows unauthenticated remote attackers to cause a denial-of-service condition.

Executive summary

A critical stack-based buffer overflow in Tenda CP3 V3.0 firmware enables remote, unauthenticated attackers to crash the device's RTSP service.

Vulnerability

The vulnerability exists in the RTSP service, where the device fails to properly validate the length of the 'clock=' parameter within the Range header of a PLAY request. An unauthenticated remote attacker can trigger a stack-based buffer overflow after completing a standard RTSP handshake, leading to a service crash.

Business impact

The vulnerability carries a CVSS score of 7.5, indicating a High severity risk. Successful exploitation results in a Denial of Service (DoS), effectively rendering the security camera or device unresponsive. In a business context, this leads to loss of operational visibility, potential security gaps in monitoring, and the requirement for manual device reboots to restore functionality.

Remediation

Immediate Action: Since no specific patch version is currently available, restrict network access to the RTSP service (typically port 554) to trusted management subnets only.

Proactive Monitoring: Monitor device logs and RTSP traffic for anomalous 'PLAY' requests or unexpected service restarts that may indicate attempted exploitation.

Compensating Controls: Deploy a Network Intrusion Prevention System (NIPS) or firewall rules to drop RTSP packets containing malformed or excessively long header values.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the lack of a verified vendor patch, organizations should prioritize network-level segmentation to shield the affected devices from external exposure. Administrators must monitor for vendor updates regarding firmware V31.1.9.91 and apply them immediately upon release to remediate the underlying buffer overflow.