CVE-2026-7099
Published: 27 April 2026
Summary
CVE-2026-7099 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through vendor firmware patches directly eliminates the buffer overflow vulnerability in the formQuickIndex function.
Information input validation mechanisms prevent buffer overflows by rejecting or sanitizing malformed mit_linktype arguments in the httpd component.
Memory protection safeguards such as non-executable memory and ASLR thwart arbitrary code execution from successful buffer overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in router's httpd web interface enables remote code execution from low-privileged access, directly facilitating Exploit Public-Facing Application and Exploitation for Privilege Escalation.
NVD Description
A vulnerability was detected in Tenda F456 1.0.0.5. The affected element is the function formQuickIndex of the file /goform/QuickIndex of the component httpd. Performing a manipulation of the argument mit_linktype results in buffer overflow. The attack may be initiated remotely.…
more
The exploit is now public and may be used.
Deeper analysisAI
CVE-2026-7099 is a buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the formQuickIndex function of the /goform/QuickIndex file within the httpd component, where manipulation of the mit_linktype argument triggers the overflow. It is classified under CWE-119 and CWE-120, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users, with low attack complexity and no requirement for user interaction. Successful exploitation can result in high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution on the device.
VulDB advisories document the issue and note that a public exploit is available on GitHub, which may be used by attackers. Practitioners should consult the Tenda website and referenced VulDB pages for any vendor-provided patches or mitigation steps.
Details
- CWE(s)