CVE-2026-5156
Published: 31 March 2026
Summary
CVE-2026-5156 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-5156 is a stack-based buffer overflow vulnerability affecting Tenda CH22 firmware version 1.0.0.1. The flaw resides in the formQuickIndex function of the /goform/QuickIndex file within the Parameter Handler component, triggered by manipulation of the mit_linktype argument. Published on 2026-03-31, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. It can be exploited remotely by attackers possessing low privileges, with low attack complexity and no requirement for user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability, potentially resulting in arbitrary code execution on the affected device.
Advisories and additional details are documented on VulDB (https://vuldb.com/vuln/354188, https://vuldb.com/vuln/354188/cti, https://vuldb.com/submit/780208) and a GitHub repository containing exploit information (https://github.com/Litengzheng/vuldb_new/blob/main/CH22/vul_46/README.md). The Tenda manufacturer's site (https://www.tenda.com.cn/) is referenced for potential firmware updates or further guidance.
The exploit has been publicly disclosed and may be utilized, heightening exposure risks for unpatched Tenda CH22 devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17252
Vulnerability details
A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the function formQuickIndex of the file /goform/QuickIndex of the component Parameter Handler. This manipulation of the argument mit_linktype causes stack-based buffer overflow. The attack is possible to be carried out…
more
remotely. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing web form (/goform/QuickIndex) enables remote exploitation of the application (T1190) with low privileges and no user interaction, resulting in arbitrary code execution on the embedded Linux device (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through firmware updates directly eliminates the stack-based buffer overflow in the formQuickIndex function exploited via the mit_linktype argument.
Information input validation enforces bounds checking on parameters like mit_linktype to prevent stack-based buffer overflows in the Parameter Handler.
Memory protection mechanisms such as stack canaries and non-executable stacks mitigate arbitrary code execution from exploitation of the stack-based buffer overflow.