CVE-2026-6137
Published: 13 April 2026
Summary
CVE-2026-6137 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F451 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack-based buffer overflow by validating inputs like wanmode and PPPOEPassword at the /goform/AdvSetWan endpoint.
Implements memory protections such as stack canaries or non-executable stacks to prevent exploitation of the stack-based buffer overflow.
Requires timely flaw remediation through firmware patching to eliminate the specific buffer overflow vulnerability in Tenda F451 firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public-facing web form (/goform/AdvSetWan) on network device allows remote low-priv authenticated attackers to achieve arbitrary code execution, directly mapping to T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).
NVD Description
A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromAdvSetWan of the file /goform/AdvSetWan. The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit…
more
is now public and may be used.
Deeper analysisAI
CVE-2026-6137 is a stack-based buffer overflow vulnerability affecting the Tenda F451 router on firmware version 1.0.0.7_cn_svn7958. The flaw exists in the fromAdvSetWan function within the /goform/AdvSetWan file, where manipulation of the wanmode or PPPOEPassword arguments triggers the overflow. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by low-privileged attackers (PR:L) accessible over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution on the affected device.
Advisories provide further details via VulDB entries (https://vuldb.com/vuln/357001, https://vuldb.com/vuln/357001/cti, https://vuldb.com/submit/792881) and a GitHub issue (https://github.com/Jimi-Lab/cve/issues/22), with the vendor site at https://www.tenda.com.cn/ potentially offering patches or updates.
The exploit is public and may be used, as noted in the vulnerability description published on 2026-04-13.
Details
- CWE(s)