CVE-2026-2911
Published: 22 February 2026
Summary
CVE-2026-2911 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-2911 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting Tenda FH451 routers on firmware versions up to 1.0.0.9. The flaw occurs in the processing of the /goform/GstDhcpSetSer file or endpoint, enabling remote manipulation that triggers the overflow. Published on 2026-02-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), marking it as high severity.
The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user on the network. Low attack complexity and no user interaction are required, allowing exploitation over the network. Successful attacks can achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or system compromise.
Advisories provide further details via VulDB entries (ctiid.347220, id.347220, submit.755218), vuln.ricky.place/Tenda/FH451/, and the Tenda vendor site (tenda.com.cn/). The exploit has been publicly disclosed and may be actively used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7544
Vulnerability details
A vulnerability has been found in Tenda FH451 up to 1.0.0.9. This issue affects some unknown processing of the file /goform/GstDhcpSetSer. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed…
more
to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in web management endpoint (/goform/GstDhcpSetSer) of Tenda FH451 router enables remote exploitation of a public-facing application for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents buffer overflows by requiring validation of inputs to the vulnerable /goform/GstDhcpSetSer endpoint.
Requires timely remediation of known flaws like this buffer overflow through firmware patching or upgrades.
Implements memory protections such as stack guards and non-executable memory to mitigate exploitation of buffer overflows.