CVE-2026-5991
Published: 10 April 2026
Summary
CVE-2026-5991 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates input validation and error handling for parameters like 'GO' in web forms to directly prevent stack-based buffer overflows from improper restrictions.
SI-16 enforces memory protections such as stack canaries and address space layout randomization to mitigate exploitation of stack-based buffer overflows.
SI-2 requires timely flaw remediation, including patching the buffer overflow in the formWrlExtraSet function to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authenticated remote stack-based buffer overflow in the router web interface form handler directly enables privilege escalation by allowing low-privilege users to achieve arbitrary code execution with high impact on confidentiality, integrity, and availability.
NVD Description
A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the function formWrlExtraSet of the file /goform/WrlExtraSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be launched remotely. The exploit has…
more
been made public and could be used.
Deeper analysisAI
CVE-2026-5991 is a stack-based buffer overflow vulnerability affecting Tenda F451 routers on firmware version 1.0.0.7. The flaw resides in the formWrlExtraSet function within the /goform/WrlExtraSet file, where manipulation of the "GO" argument triggers the overflow. It is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers with low privileges, such as authenticated users over the network with low attack complexity and no user interaction required. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
Advisories and additional details are available via VulDB entries (https://vuldb.com/vuln/356545, https://vuldb.com/vuln/356545/cti, https://vuldb.com/submit/792862) and a GitHub issue (https://github.com/Jimi-Lab/cve/issues/9), with the vendor site at https://www.tenda.com.cn/. The exploit has been made public and could be used.
Published on 2026-04-10, this vulnerability highlights risks in router web interfaces where insufficient input validation on parameters like "GO" leads to memory corruption.
Details
- CWE(s)