Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. After executing set_client_qos, control over the gp register can be obtained.Referenceshttp://tenda.comhttps://github.com/zt20xx/CVE-2023-48194