CVE-2026-5154
Published: 30 March 2026
Summary
CVE-2026-5154 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the funcname argument in the /goform/setcfm endpoint to prevent stack-based buffer overflow from malformed inputs.
Implements memory protections such as stack canaries or DEP to mitigate exploitation of stack-based buffer overflows even if invalid input reaches the function.
Mandates timely remediation of the identified buffer overflow flaw in Tenda CH22 firmware via patching to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in authenticated web parameter handler (PR:L, remote, high C/I/A impact) directly enables code execution for privilege escalation on the device.
NVD Description
A vulnerability has been found in Tenda CH22 1.0.0.1/1.If. The impacted element is the function fromSetCfm of the file /goform/setcfm of the component Parameter Handler. The manipulation of the argument funcname leads to stack-based buffer overflow. Remote exploitation of the…
more
attack is possible. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2026-5154 is a stack-based buffer overflow vulnerability affecting Tenda CH22 firmware version 1.0.0.1/1.0.0.1. The issue resides in the fromSetCfm function within the /goform/setcfm file of the Parameter Handler component. Manipulation of the funcname argument triggers the overflow, as documented in the CVE description published on 2026-03-30.
The vulnerability enables remote exploitation over the network with low attack complexity and requires low privileges but no user interaction. According to the CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful attacks can compromise confidentiality, integrity, and availability to a high degree. Associated CWEs include CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
VulDB advisories detail the vulnerability at https://vuldb.com/vuln/354186 and related CTI at https://vuldb.com/vuln/354186/cti, with a submission entry at https://vuldb.com/submit/780206. A public exploit disclosure is available at https://github.com/Litengzheng/vuldb_new/blob/main/CH22/vul_48/README.md. The Tenda vendor site at https://www.tenda.com.cn/ provides relevant product information for potential mitigations or patches.
The exploit has been disclosed to the public and may be used, heightening the risk for unpatched Tenda CH22 devices.
Details
- CWE(s)