Cyber Resilience

CVE-2026-6122

High

Published: 12 April 2026

Published
12 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6122 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-6122 is a stack-based buffer overflow vulnerability affecting the Tenda F451 router on firmware version 1.0.0.7. The flaw resides in the frmL7ProtForm function within the /goform/L7Prot file of the httpd component, where manipulation of the "page" argument triggers the overflow. Published on 2026-04-12, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Remote attackers with low privileges can exploit this vulnerability without user interaction over the network. Exploitation allows severe impacts, including high confidentiality, integrity, and availability compromises, potentially enabling arbitrary code execution, data theft, or denial of service on the affected device.

Advisories referenced in VulDB entries (vuldb.com/vuln/356985 and related pages) and a GitHub issue (github.com/Jimi-Lab/cve/issues/14) confirm the remote attack vector and public disclosure of an exploit. The Tenda manufacturer site (tenda.com.cn) should be checked for firmware updates or patches, as no specific mitigation details are outlined in the core description.

EU & UK References

Vulnerability details

A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be…

more

launched remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote stack-based buffer overflow in the httpd web server (/goform/L7Prot endpoint) directly enables exploitation of a public-facing application on the router for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9428Shared CWE-119, CWE-121
CVE-2026-2886Shared CWE-119, CWE-121
CVE-2025-8017Shared CWE-119, CWE-121
CVE-2025-8816Shared CWE-119, CWE-121
CVE-2025-14665Shared CWE-119, CWE-121
CVE-2025-9247Shared CWE-119, CWE-121
CVE-2026-5604Shared CWE-119, CWE-121
CVE-2025-8824Shared CWE-119, CWE-121
CVE-2025-11386Shared CWE-119, CWE-121
CVE-2025-15190Shared CWE-119, CWE-121

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by patching the buffer overflow in the Tenda F451 firmware.

prevent

SI-10 mandates input validation at critical entry points like the httpd /goform/L7Prot endpoint, preventing the stack buffer overflow from the manipulated 'page' argument.

prevent

SI-16 implements memory protections such as stack canaries and non-executable stacks, mitigating exploitation of the stack-based buffer overflow for arbitrary code execution.

References