CVE-2026-7053
Published: 26 April 2026
Summary
CVE-2026-7053 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of known flaws like this buffer overflow via firmware updates or patches for the Tenda F456 router.
Requires validation of inputs such as the 'page' argument to prevent buffer overflows from improper restriction of operations within memory bounds.
Implements memory protections like address space layout randomization and stack guards to mitigate exploitation of buffer overflows even if the flaw persists.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the public-facing httpd web interface (/goform/L7Prot endpoint) allows remote exploitation for arbitrary code execution on the network device.
NVD Description
A security flaw has been discovered in Tenda F456 1.0.0.5. This affects the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Performing a manipulation of the argument page results in buffer overflow. Remote exploitation of the attack is…
more
possible. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-7053 is a buffer overflow vulnerability affecting the Tenda F456 router running firmware version 1.0.0.5. The flaw resides in the frmL7ProtForm function within the /goform/L7Prot endpoint of the httpd component. By manipulating the "page" argument, an attacker can trigger the buffer overflow, which is remotely exploitable. The vulnerability is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), and it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges, such as an authenticated user on the network, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full compromise of the affected device, including arbitrary code execution.
Advisories from VulDB detail the vulnerability and note public submission of the issue, with CTI (Cyber Threat Intelligence) coverage available. A proof-of-concept exploit is publicly released on GitHub at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_124/README.md. Users should consult the Tenda website at https://www.tenda.com.cn/ for any firmware updates or mitigation guidance.
The exploit's public availability increases the risk of real-world attacks against unpatched Tenda F456 devices.
Details
- CWE(s)