CVE-2026-6122
Published: 12 April 2026
Summary
CVE-2026-6122 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6122 is a stack-based buffer overflow vulnerability affecting the Tenda F451 router on firmware version 1.0.0.7. The flaw resides in the frmL7ProtForm function within the /goform/L7Prot file of the httpd component, where manipulation of the "page" argument triggers the overflow. Published on 2026-04-12, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Remote attackers with low privileges can exploit this vulnerability without user interaction over the network. Exploitation allows severe impacts, including high confidentiality, integrity, and availability compromises, potentially enabling arbitrary code execution, data theft, or denial of service on the affected device.
Advisories referenced in VulDB entries (vuldb.com/vuln/356985 and related pages) and a GitHub issue (github.com/Jimi-Lab/cve/issues/14) confirm the remote attack vector and public disclosure of an exploit. The Tenda manufacturer site (tenda.com.cn) should be checked for firmware updates or patches, as no specific mitigation details are outlined in the core description.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21722
Vulnerability details
A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack-based buffer overflow in the httpd web server (/goform/L7Prot endpoint) directly enables exploitation of a public-facing application on the router for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this CVE by patching the buffer overflow in the Tenda F451 firmware.
SI-10 mandates input validation at critical entry points like the httpd /goform/L7Prot endpoint, preventing the stack buffer overflow from the manipulated 'page' argument.
SI-16 implements memory protections such as stack canaries and non-executable stacks, mitigating exploitation of the stack-based buffer overflow for arbitrary code execution.