CVE-2026-7082
Published: 27 April 2026
Summary
CVE-2026-7082 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-7082 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the Tenda F456 router on firmware version 1.0.0.5. The issue lies in the formWrlExtraSet function of the /goform/WrlExtraSet endpoint within the httpd component. An attacker can trigger the buffer overflow by manipulating the "Go" argument.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low attack complexity by an authenticated user with low privileges and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the device. An exploit has been published and may be used.
Mitigation guidance and advisories are available via VulDB entries (https://vuldb.com/vuln/359657, https://vuldb.com/submit/798465, https://vuldb.com/vuln/359657/cti), a GitHub repository detailing the exploit (https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_134/README.md), and the manufacturer's website (https://www.tenda.com.cn/).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25765
Vulnerability details
A flaw has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Executing a manipulation of the argument Go can lead to buffer overflow. The attack can…
more
be executed remotely. The exploit has been published and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in remote web interface (/goform/WrlExtraSet) of network device allows authenticated RCE; directly maps to exploiting public-facing application for initial access and code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the manipulated 'Go' argument in the formWrlExtraSet function to prevent buffer overflow exploitation.
Remediates the specific buffer overflow flaw in the httpd component's /goform/WrlExtraSet endpoint through timely patching.
Implements memory protections such as address space randomization and data execution prevention to mitigate buffer overflow exploitation attempts.