CVE-2026-6199
Published: 13 April 2026
Summary
CVE-2026-6199 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6199 is a stack-based buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw resides in the fromqossetting function within the /goform/qossetting file, where manipulation of the page argument triggers the overflow. Published on 2026-04-13, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A remote attacker with network access and low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation grants high impacts across confidentiality, integrity, and availability, potentially enabling arbitrary code execution and full device compromise.
Advisories referenced in VulDB entries (e.g., https://vuldb.com/vuln/357121) detail the issue, while a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_116/README.md provides the public exploit. The Tenda website (https://www.tenda.com.cn/) is listed but offers no specific mitigation details in the available references.
The exploit has been publicly disclosed and could be used, increasing the risk for unpatched Tenda F456 devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22063
Vulnerability details
A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been…
more
made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack-based buffer overflow in the public-facing web interface (/goform/qossetting) of the Tenda router enables remote exploitation for arbitrary code execution and full device compromise, directly mapping to T1190 (Exploit Public-Facing Application) and facilitating T1059.004 (Unix Shell) for command execution on the compromised Linux-based device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the 'page' argument in /goform/qossetting to prevent stack-based buffer overflow from improper input handling.
Implements memory protection mechanisms like stack canaries and address space layout randomization to block exploitation of the stack buffer overflow.
Mandates timely remediation of the known buffer overflow flaw in Tenda F456 firmware 1.0.0.5 via patching or upgrades.