CVE-2026-7082
Published: 27 April 2026
Summary
CVE-2026-7082 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the manipulated 'Go' argument in the formWrlExtraSet function to prevent buffer overflow exploitation.
Remediates the specific buffer overflow flaw in the httpd component's /goform/WrlExtraSet endpoint through timely patching.
Implements memory protections such as address space randomization and data execution prevention to mitigate buffer overflow exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in remote web interface (/goform/WrlExtraSet) of network device allows authenticated RCE; directly maps to exploiting public-facing application for initial access and code execution.
NVD Description
A flaw has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Executing a manipulation of the argument Go can lead to buffer overflow. The attack can…
more
be executed remotely. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-7082 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the Tenda F456 router on firmware version 1.0.0.5. The issue lies in the formWrlExtraSet function of the /goform/WrlExtraSet endpoint within the httpd component. An attacker can trigger the buffer overflow by manipulating the "Go" argument.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low attack complexity by an authenticated user with low privileges and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the device. An exploit has been published and may be used.
Mitigation guidance and advisories are available via VulDB entries (https://vuldb.com/vuln/359657, https://vuldb.com/submit/798465, https://vuldb.com/vuln/359657/cti), a GitHub repository detailing the exploit (https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_134/README.md), and the manufacturer's website (https://www.tenda.com.cn/).
Details
- CWE(s)