CVE-2026-5605
Published: 06 April 2026
Summary
CVE-2026-5605 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ch22 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely identification, reporting, prioritization, and correction of flaws like the stack buffer overflow in Tenda CH22 firmware, directly preventing exploitation via patches.
SI-10 requires validation of untrusted inputs such as the 'GO' argument in the /goform/WrlExtraSet endpoint to prevent stack-based buffer overflows.
SI-16 implements memory protections like stack canaries and non-executable stacks to mitigate exploitation of the stack buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public web form endpoint (/goform/WrlExtraSet) of router firmware enables remote exploitation of a public-facing application for arbitrary code execution.
NVD Description
A weakness has been identified in Tenda CH22 1.0.0.1. This affects the function formWrlExtraSet of the file /goform/WrlExtraSet. Executing a manipulation of the argument GO can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has…
more
been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-5605 is a stack-based buffer overflow vulnerability affecting Tenda CH22 firmware version 1.0.0.1. The flaw exists in the formWrlExtraSet function processed by the /goform/WrlExtraSet endpoint, where manipulation of the "GO" argument triggers the overflow. Published on 2026-04-06, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by low-privileged attackers (PR:L) over the network with low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, likely allowing arbitrary code execution via the buffer overflow.
VulDB advisories (vuln/355397) document the issue and reference a public exploit available on GitHub at Litengzheng/vuldb_new/blob/main/CH22/vul_54/README.md, noting its potential for attacks. Security practitioners should consult the Tenda website (tenda.com.cn) for firmware updates or mitigation guidance, as no specific patches are detailed in the provided references.
Details
- CWE(s)