CVE-2026-6198
Published: 13 April 2026
Summary
CVE-2026-6198 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6198 is a stack-based buffer overflow vulnerability (CWE-119, CWE-121) affecting Tenda F456 routers on firmware version 1.0.0.5. The flaw exists in the fromNatStaticSetting function processed via the /goform/NatStaticSetting endpoint, where manipulation of the "page" argument triggers the overflow.
Remote attackers with low privileges can exploit this vulnerability with low complexity and no user interaction, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially resulting in arbitrary code execution on the affected device.
Advisories and additional details are documented on VulDB (including submission and CTI entries) and a GitHub repository containing the publicly disclosed exploit. The Tenda vendor website provides a potential source for firmware updates or mitigation guidance.
The exploit has been disclosed to the public and may be used in active attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22058
Vulnerability details
A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit…
more
has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack-based buffer overflow in the public-facing web endpoint (/goform/NatStaticSetting) on the router directly enables remote exploitation of a public-facing application (T1190) and exploitation for privilege escalation, as low-privilege access leads to arbitrary code execution with high impact on C/I/A (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws like this stack-based buffer overflow via firmware updates.
SI-10 enforces input validation on the 'page' argument in the /goform/NatStaticSetting endpoint to prevent the buffer overflow manipulation.
SI-16 implements memory protections such as stack canaries to thwart exploitation of the stack-based buffer overflow even if triggered.