Cyber Resilience

CVE-2026-7099

HighPublic PoC

Published: 27 April 2026

Published
27 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7099 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-7099 is a buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the formQuickIndex function of the /goform/QuickIndex file within the httpd component, where manipulation of the mit_linktype argument triggers the overflow. It is classified under CWE-119 and CWE-120, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users, with low attack complexity and no requirement for user interaction. Successful exploitation can result in high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution on the device.

VulDB advisories document the issue and note that a public exploit is available on GitHub, which may be used by attackers. Practitioners should consult the Tenda website and referenced VulDB pages for any vendor-provided patches or mitigation steps.

EU & UK References

Vulnerability details

A vulnerability was detected in Tenda F456 1.0.0.5. The affected element is the function formQuickIndex of the file /goform/QuickIndex of the component httpd. Performing a manipulation of the argument mit_linktype results in buffer overflow. The attack may be initiated remotely.…

more

The exploit is now public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in router's httpd web interface enables remote code execution from low-privileged access, directly facilitating Exploit Public-Facing Application and Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7079Same product: Tenda F456
CVE-2026-7100Same product: Tenda F456
CVE-2026-7032Same product: Tenda F456
CVE-2026-7030Same product: Tenda F456
CVE-2026-7078Same product: Tenda F456
CVE-2026-7029Same product: Tenda F456
CVE-2026-7055Same product: Tenda F456
CVE-2026-7057Same product: Tenda F456
CVE-2026-7033Same product: Tenda F456
CVE-2026-7098Same product: Tenda F456

Affected Assets

tenda
f456 firmware
1.0.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through vendor firmware patches directly eliminates the buffer overflow vulnerability in the formQuickIndex function.

prevent

Information input validation mechanisms prevent buffer overflows by rejecting or sanitizing malformed mit_linktype arguments in the httpd component.

prevent

Memory protection safeguards such as non-executable memory and ASLR thwart arbitrary code execution from successful buffer overflows.

References