Cyber Resilience

CVE-2026-6630

High

Published: 20 April 2026

Published
20 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6630 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-6630 is a buffer overflow vulnerability in Tenda F451 router firmware version 1.0.0.7_cn_svn7958. The issue resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer endpoint of the httpd component, where manipulation of the "dips" argument triggers the overflow. The vulnerability was published on 2026-04-20 and is remotely exploitable.

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 8.8 (C:H/I:H/A:H). Exploitation leads to high impacts on confidentiality, integrity, and availability, mapped to CWE-119 and CWE-120. A public exploit exists, enabling remote initiation.

Advisories provide further details, including VulDB entries at https://vuldb.com/vuln/358264 and https://vuldb.com/vuln/358264/cti, a GitHub issue at https://github.com/Jimi-Lab/cve/issues/23, a submission at https://vuldb.com/submit/792882, and the vendor site at https://www.tenda.com.cn/. Practitioners should consult these for patch availability and mitigation guidance.

EU & UK References

Vulnerability details

A vulnerability was found in Tenda F451 1.0.0.7_cn_svn7958. This issue affects the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. The attack may be initiated remotely. The…

more

exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote buffer overflow in the router's public-facing httpd web interface (/goform/GstDhcpSetSer) directly enables exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7055Shared CWE-119, CWE-120
CVE-2026-1162Shared CWE-119, CWE-120
CVE-2025-12232Shared CWE-119, CWE-120
CVE-2025-15459Shared CWE-119, CWE-120
CVE-2025-7463Shared CWE-119, CWE-120
CVE-2026-2202Shared CWE-119, CWE-120
CVE-2026-5980Shared CWE-119, CWE-120
CVE-2026-7857Shared CWE-119, CWE-120
CVE-2026-7057Shared CWE-119, CWE-120
CVE-2025-13550Shared CWE-119, CWE-120

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the specific buffer overflow flaw in the fromGstDhcpSetSer function of the httpd component.

prevent

Mandates validation of the 'dips' argument to prevent buffer overflow triggered by malformed input to the /goform/GstDhcpSetSer endpoint.

prevent

Implements memory protections such as non-executable stacks and ASLR to mitigate exploitation of the buffer overflow vulnerability.

References