CVE-2026-5991
Published: 10 April 2026
Summary
CVE-2026-5991 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-5991 is a stack-based buffer overflow vulnerability affecting Tenda F451 routers on firmware version 1.0.0.7. The flaw resides in the formWrlExtraSet function within the /goform/WrlExtraSet file, where manipulation of the "GO" argument triggers the overflow. It is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users over the network with low attack complexity and no user interaction required. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
Advisories and additional details are available via VulDB entries (https://vuldb.com/vuln/356545, https://vuldb.com/vuln/356545/cti, https://vuldb.com/submit/792862) and a GitHub issue (https://github.com/Jimi-Lab/cve/issues/9), with the vendor site at https://www.tenda.com.cn/. The exploit has been made public and could be used.
Published on 2026-04-10, this vulnerability highlights risks in router web interfaces where insufficient input validation on parameters like "GO" leads to memory corruption.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21244
Vulnerability details
A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the function formWrlExtraSet of the file /goform/WrlExtraSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be launched remotely. The exploit has…
more
been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authenticated remote stack-based buffer overflow in the router web interface form handler directly enables privilege escalation by allowing low-privilege users to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates input validation and error handling for parameters like 'GO' in web forms to directly prevent stack-based buffer overflows from improper restrictions.
SI-16 enforces memory protections such as stack canaries and address space layout randomization to mitigate exploitation of stack-based buffer overflows.
SI-2 requires timely flaw remediation, including patching the buffer overflow in the formWrlExtraSet function to eliminate the vulnerability.