Publicly Disclosed Stack Overflow Flaws Expose Tenda F451 Routers to Remote Attack
Two high-severity vulnerabilities, CVE-2026-6122 and CVE-2026-6136, were disclosed for Tenda F451 routers, both affecting firmware 1.0.0.7 and enabling remote stack-based buffer overflow attacks through the device's httpd web interface. The flaws reside in the /goform/L7Prot and /goform/L7Im endpoints, specifically in the frmL7ProtForm and frmL7ImForm functions, where improper handling of the page argument can corrupt stack memory.
Both CVEs are mapped to CWE-119 and CWE-121, and the disclosures indicate that public exploit details are already available, raising the risk of near-term exploitation against exposed devices. One advisory notes the issue requires only low privileges for exploitation, and both entries describe the attack path as remote, making internet-accessible or poorly segmented Tenda F451 deployments a likely target for abuse.
Timeline
Apr 13, 2026
CVE-2026-6136 recorded for Tenda F451 L7Im stack overflow
A second CVE entry was published for a stack-based buffer overflow in the frmL7ImForm function of /goform/L7Im on Tenda F451 firmware 1.0.0.7_cn_svn7958. The vulnerability is remotely exploitable through the page argument, and public exploit disclosure was also noted.
Apr 12, 2026
CVE-2026-6122 recorded for Tenda F451 httpd stack overflow
A CVE entry was published for a stack-based buffer overflow in the frmL7ProtForm function of /goform/L7Prot in the Tenda F451 httpd component affecting version 1.0.0.7. The flaw is remotely exploitable via manipulation of the page argument, and the entry notes that a public exploit had already been disclosed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
Publicly Exploitable Stack Overflows Disclosed in Tenda F453 and F451 Routers
Two high-severity vulnerabilities have been disclosed in Tenda routers, both enabling remote stack-based buffer overflows through exposed `/goform/` endpoints. **CVE-2026-4551** affects the Tenda **F453** running version `1.0.0.3`, where the `fromSafeClientFilter` function in the `/goform/SafeClientFilter` handler can be exploited by manipulating the `menufacturer/Go` argument. **CVE-2026-5990** affects the Tenda **F451** running version `1.0.0.7`, where the `fromSafeEmailFilter` function in the `/goform/SafeEmailFilter` component can be triggered via the `page` argument. Both flaws are classified under **CWE-119** and **CWE-121** and are described as remotely exploitable with **public exploit information available**, raising the risk of active abuse against exposed devices. The CVE records assign high impact across **confidentiality, integrity, and availability** in published CVSS scoring, indicating that successful exploitation could give attackers a powerful path to compromise vulnerable edge networking equipment.
2 weeks ago
Multiple Remote Buffer Overflow Flaws Expose Tenda F456 Routers to Exploitation
Several high-severity vulnerabilities have been disclosed in the **Tenda F456** router running firmware `1.0.0.5`, affecting the device’s `httpd` component across multiple `/goform/` endpoints. The flaws include `CVE-2026-7053` in `frmL7ProtForm` via `/goform/L7Prot`, `CVE-2026-7055` in `fromVirtualSer` via `/goform/VirtualSer`, `CVE-2026-7056` in `fromSafeUrlFilter` via `/goform/SafeUrlFilter`, and `CVE-2026-7057` in `/goform/setcfm`. In each case, crafted input to parameters such as `page`, `menufacturer`, `Go`, `funcname`, or `funcpara1` can trigger a buffer overflow. The vulnerabilities are described as **remotely exploitable** and have been mapped to `CWE-119` and `CWE-120`, with CVSS scoring indicating high impact to confidentiality, integrity, and availability. Public exploit code has also been reported for all four issues, including references to VulDB and GitHub proof-of-concept material, raising the risk of active attacks against exposed devices. Organizations using affected Tenda F456 routers should treat the flaws as urgent exposure in internet-facing network infrastructure.
5 days ago
Publicly Exploitable Buffer Overflows Disclosed in Tenda FH451 and F453 Routers
Two high-severity vulnerabilities have been disclosed in Tenda router firmware, affecting **FH451 1.0.0.9** and **F453 1.0.0.3**. The flaws are tracked as `CVE-2026-4534` and `CVE-2026-4552` and both involve remotely reachable stack-based buffer overflows in web management handlers. In the FH451 case, the issue is in the `formWrlExtraSet` function exposed through the `/goform/WrlExtraSet` component, where manipulation of the `GO` argument can trigger memory corruption. In the F453 case, the vulnerable code is the `fromVirtualSer` function behind the `/goform/VirtualSer` endpoint, where the `page` argument can be abused to cause a similar overflow. Both CVE records indicate that **public exploits are available**, increasing the likelihood of opportunistic attacks against exposed devices. The disclosures map the weaknesses to `CWE-119` and `CWE-121`, reflecting out-of-bounds memory handling and stack-based buffer overflow conditions, and the published scoring points to high impact on confidentiality, integrity, and availability. Organizations using these Tenda models should treat the flaws as urgent remote compromise risks, especially where router administration interfaces are internet-accessible.
1 months ago