CVE-2026-7097
Published: 27 April 2026
Summary
CVE-2026-7097 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating the buffer overflow by applying firmware patches for the Tenda F456 httpd vulnerability.
SI-10 enforces validation of information inputs at system entry points, preventing the buffer overflow triggered by manipulation of the 'page' argument in /goform/webExcptypemanFilter.
SI-16 provides memory protection safeguards that prevent unauthorized code execution resulting from the buffer overflow exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in httpd web interface (/goform/webExcptypemanFilter) allows remote RCE on public-facing router management page with low privileges and no user interaction.
NVD Description
A weakness has been identified in Tenda F456 1.0.0.5. This issue affects the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter of the component httpd. This manipulation of the argument page causes buffer overflow. The attack can be initiated remotely. The exploit…
more
has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-7097 is a buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the fromwebExcptypemanFilter function within the /goform/webExcptypemanFilter file of the httpd component. Manipulation of the page argument triggers the buffer overflow, which is remotely exploitable and associated with CWE-119 and CWE-120.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), meaning it can be exploited over the network with low attack complexity by an attacker possessing low privileges, without requiring user interaction. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability, potentially allowing arbitrary code execution or full device compromise.
Advisories referenced on VulDB detail the issue and include a CTI entry, while a GitHub repository provides a publicly available exploit. The vendor Tenda's website is listed among references, though specific mitigation or patch details are not outlined in the provided information.
Details
- CWE(s)