Cyber Resilience

CVE-2026-6199

High

Published: 13 April 2026

Published
13 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6199 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-6199 is a stack-based buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw resides in the fromqossetting function within the /goform/qossetting file, where manipulation of the page argument triggers the overflow. Published on 2026-04-13, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A remote attacker with network access and low privileges can exploit this vulnerability with low attack complexity and no user interaction required. Successful exploitation grants high impacts across confidentiality, integrity, and availability, potentially enabling arbitrary code execution and full device compromise.

Advisories referenced in VulDB entries (e.g., https://vuldb.com/vuln/357121) detail the issue, while a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_116/README.md provides the public exploit. The Tenda website (https://www.tenda.com.cn/) is listed but offers no specific mitigation details in the available references.

The exploit has been publicly disclosed and could be used, increasing the risk for unpatched Tenda F456 devices.

EU & UK References

Vulnerability details

A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been…

more

made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The stack-based buffer overflow in the public-facing web interface (/goform/qossetting) of the Tenda router enables remote exploitation for arbitrary code execution and full device compromise, directly mapping to T1190 (Exploit Public-Facing Application) and facilitating T1059.004 (Unix Shell) for command execution on the compromised Linux-based device.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2566Shared CWE-119, CWE-121
CVE-2026-3732Shared CWE-119, CWE-121
CVE-2026-3768Shared CWE-119, CWE-121
CVE-2026-5687Shared CWE-119, CWE-121
CVE-2026-5830Shared CWE-119, CWE-121
CVE-2026-6015Shared CWE-119, CWE-121
CVE-2026-5349Shared CWE-119, CWE-121
CVE-2026-6121Shared CWE-119, CWE-121
CVE-2026-6194Shared CWE-119, CWE-121
CVE-2026-3976Shared CWE-119, CWE-121

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the 'page' argument in /goform/qossetting to prevent stack-based buffer overflow from improper input handling.

prevent

Implements memory protection mechanisms like stack canaries and address space layout randomization to block exploitation of the stack buffer overflow.

prevent

Mandates timely remediation of the known buffer overflow flaw in Tenda F456 firmware 1.0.0.5 via patching or upgrades.

References