CVE-2026-5155
Published: 30 March 2026
Summary
CVE-2026-5155 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack-based buffer overflow by enforcing validation of the 'wanmode' parameter in the /goform/AdvSetWan endpoint to prevent improper memory operations.
Implements memory safeguards like stack canaries, ASLR, and DEP to protect against exploitation of the stack buffer overflow triggered by manipulated inputs.
Requires identification, reporting, and correction of the specific buffer overflow flaw through firmware updates for Tenda CH22 version 1.0.0.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack-based buffer overflow in the public web interface endpoint (/goform/AdvSetWan) directly enables remote exploitation of a public-facing application to achieve arbitrary code execution on the device.
NVD Description
A vulnerability was found in Tenda CH22 1.0.0.1. This affects the function fromAdvSetWan of the file /goform/AdvSetWan of the component Parameter Handler. The manipulation of the argument wanmode results in stack-based buffer overflow. The attack can be executed remotely. The…
more
exploit has been made public and could be used.
Deeper analysisAI
CVE-2026-5155 is a stack-based buffer overflow vulnerability in Tenda CH22 firmware version 1.0.0.1. It affects the fromAdvSetWan function within the /goform/AdvSetWan endpoint of the Parameter Handler component, triggered by manipulating the wanmode argument. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), the issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-30.
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution or system compromise on the affected device.
Advisories from VulDB detail the vulnerability and reference a publicly available exploit on GitHub at https://github.com/Litengzheng/vuldb_new/blob/main/CH22/vul_47/README.md, which could be used by attackers. The manufacturer's site at https://www.tenda.com.cn/ is listed, but no specific patches or mitigations are detailed in the provided references. Security practitioners should monitor for firmware updates from Tenda.
The exploit's public disclosure increases the risk of real-world attacks against exposed Tenda CH22 devices.
Details
- CWE(s)