CVE-2026-7034
Published: 26 April 2026
Summary
CVE-2026-7034 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh1202 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through vendor firmware updates directly eliminates the stack-based buffer overflow in the WrlExtraSet function of the httpd component.
Information input validation restricts the 'Go' argument to safe lengths and formats, preventing the buffer overflow triggered by crafted HTTP requests to /goform/WrlExtraSet.
Memory protection mechanisms like stack canaries or non-executable memory mitigate exploitation of the stack-based buffer overflow even if invalid input reaches the vulnerable function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote stack-based buffer overflow in the web management interface (/goform/WrlExtraSet) of a router, directly enabling exploitation of a public-facing application for arbitrary code execution.
NVD Description
A vulnerability was found in Tenda FH1202 1.2.0.14(408). Affected by this issue is the function WrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Performing a manipulation of the argument Go results in stack-based buffer overflow. The attack may be…
more
initiated remotely. The exploit has been made public and could be used.
Deeper analysisAI
CVE-2026-7034 is a stack-based buffer overflow vulnerability affecting the Tenda FH1202 router on firmware version 1.2.0.14(408). The flaw resides in the WrlExtraSet function within the /goform/WrlExtraSet file of the httpd component, where manipulation of the "Go" argument triggers the overflow. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges can exploit this vulnerability remotely without user interaction. By sending a crafted request to the affected endpoint, the adversary triggers the buffer overflow, potentially achieving arbitrary code execution with high impacts on confidentiality, integrity, and availability. A public exploit is available, increasing the risk of widespread abuse.
VULDB advisories (vuln/359614 and related entries) document the issue and submission details, while a GitHub repository provides a proof-of-concept exploit in its README. The Tenda vendor website is listed as a reference, though specific patch details are not outlined in the available information. Security practitioners should check for firmware updates directly from the vendor.
Details
- CWE(s)