CVE-2026-6136
Published: 13 April 2026
Summary
CVE-2026-6136 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F451 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like the stack-based buffer overflow in the frmL7ImForm function, enabling patching of the vulnerable Tenda F451 firmware.
SI-10 mandates validation of information inputs such as the 'page' argument to prevent manipulation leading to stack-based buffer overflows.
SI-16 implements memory protections like stack canaries and non-executable stacks to mitigate exploitation of stack-based buffer overflows even if inputs are malformed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing web form (/goform/L7Im) of router firmware directly enables remote exploitation of the application for arbitrary code execution and initial access.
NVD Description
A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit…
more
has been disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-6136 is a stack-based buffer overflow vulnerability in the Tenda F451 router firmware version 1.0.0.7_cn_svn7958. The flaw affects the frmL7ImForm function in the /goform/L7Im file, triggered by manipulation of the "page" argument. Associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), it was published on 2026-04-13 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling arbitrary code execution on the affected device. The exploit has been publicly disclosed and may be actively used.
Mitigation guidance and additional details are available in vendor and third-party advisories, including VulDB entries at https://vuldb.com/vuln/357000 and https://vuldb.com/vuln/357000/cti, a GitHub issue at https://github.com/Jimi-Lab/cve/issues/21, and the Tenda website at https://www.tenda.com.cn/. Security practitioners should consult these references for patching or workaround instructions.
Details
- CWE(s)