CVE-2026-6121
Published: 12 April 2026
Summary
CVE-2026-6121 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6121 is a stack-based buffer overflow vulnerability affecting the Tenda F451 router on firmware version 1.0.0.7. The issue resides in the WrlclientSet function of the /goform/WrlclientSet file within the httpd component, where manipulation of the GO argument triggers the overflow. Published on 2026-04-12, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8.
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution. An exploit has been published and may be used.
Advisories and additional details are available via VulDB entries (https://vuldb.com/vuln/356984, https://vuldb.com/vuln/356984/cti, https://vuldb.com/submit/792865), a GitHub issue (https://github.com/Jimi-Lab/cve/issues/12), and the vendor site (https://www.tenda.com.cn/). No specific patch or mitigation guidance is detailed in the primary description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21720
Vulnerability details
A flaw has been found in Tenda F451 1.0.0.7. Affected by this vulnerability is the function WrlclientSet of the file /goform/WrlclientSet of the component httpd. This manipulation of the argument GO causes stack-based buffer overflow. The attack may be initiated…
more
remotely. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing httpd web interface enables remote arbitrary code execution on Linux-based router, directly mapping to T1190 for initial access and T1059.004 for subsequent Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation at critical entry points like the GO argument in /goform/WrlclientSet to prevent stack-based buffer overflows.
Requires identification, reporting, and correction of the specific buffer overflow flaw in the httpd component's WrlclientSet function.
Deploys memory protections such as stack canaries and non-executable stacks to mitigate exploitation of the stack-based buffer overflow.