CVE-2026-6630
Published: 20 April 2026
Summary
CVE-2026-6630 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6630 is a buffer overflow vulnerability in Tenda F451 router firmware version 1.0.0.7_cn_svn7958. The issue resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer endpoint of the httpd component, where manipulation of the "dips" argument triggers the overflow. The vulnerability was published on 2026-04-20 and is remotely exploitable.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), as indicated by its CVSS v3.1 base score of 8.8 (C:H/I:H/A:H). Exploitation leads to high impacts on confidentiality, integrity, and availability, mapped to CWE-119 and CWE-120. A public exploit exists, enabling remote initiation.
Advisories provide further details, including VulDB entries at https://vuldb.com/vuln/358264 and https://vuldb.com/vuln/358264/cti, a GitHub issue at https://github.com/Jimi-Lab/cve/issues/23, a submission at https://vuldb.com/submit/792882, and the vendor site at https://www.tenda.com.cn/. Practitioners should consult these for patch availability and mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23827
Vulnerability details
A vulnerability was found in Tenda F451 1.0.0.7_cn_svn7958. This issue affects the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. The attack may be initiated remotely. The…
more
exploit has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote buffer overflow in the router's public-facing httpd web interface (/goform/GstDhcpSetSer) directly enables exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and correction of the specific buffer overflow flaw in the fromGstDhcpSetSer function of the httpd component.
Mandates validation of the 'dips' argument to prevent buffer overflow triggered by malformed input to the /goform/GstDhcpSetSer endpoint.
Implements memory protections such as non-executable stacks and ASLR to mitigate exploitation of the buffer overflow vulnerability.