PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-51604 Tenda CVE debrief

CVE-2026-51604 is a stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91). An unauthenticated remote attacker can cause a denial of service via a crafted PLAY request. The vulnerability has a CVSS score of 7.5 and a severity of HIGH. This type of vulnerability can be used to disrupt service, and defenders should be cautious of potential impact on network availability. The vulnerability is caused by a buffer overflow in the RTSP service, which can be exploited by sending a crafted PLAY request.

Vendor
Tenda
Product
CP3 V3.0
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Security teams and administrators responsible for Tenda CP3 V3.0 devices should be aware of this vulnerability and take necessary actions to mitigate it. They should review the vulnerability details and assess the potential impact on their systems. They should also consider implementing additional security controls to prevent exploitation.

Technical summary

The vulnerability is caused by a stack-based buffer overflow in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91). An attacker can exploit this vulnerability by sending a crafted PLAY request, which can cause a denial of service. The vulnerability has a CVSS score of 7.5 and a severity of HIGH. There is no information available about potential patches or mitigations.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it can be exploited remotely and has a high CVSS score. Defenders should focus on applying patches or mitigations as soon as possible.

Recommended defensive actions

  • Apply the vendor-provided patch or update to a fixed version of the firmware.
  • Implement network segmentation to limit the attack surface.
  • Monitor network traffic for suspicious activity.
  • Consider implementing additional security controls, such as intrusion detection and prevention systems.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.

Evidence notes

The CVE record was published on 2026-07-09T17:17:00.970Z and was last modified on 2026-07-10T17:41:47.303Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record is based on limited source information and may not be comprehensive.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T17:17:00.970Z and has not been modified since then. The NVD entry is currently Deferred.