CVE-2026-7100
Published: 27 April 2026
Summary
CVE-2026-7100 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F456 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching and remediation of the specific buffer overflow flaw in the Tenda F456 httpd component to prevent remote exploitation.
Implements memory protections such as non-executable stack/heap to block arbitrary code execution from the buffer overflow in fromNatlimitof.
Requires validation of inputs to the vulnerable /goform/Natlimit endpoint to prevent the buffer overflow manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the router's httpd web component enables remote exploitation of a public-facing application (T1190) and privilege escalation from low-privilege access to arbitrary code execution and system compromise (T1068).
NVD Description
A flaw has been found in Tenda F456 1.0.0.5. The impacted element is the function fromNatlimitof of the file /goform/Natlimit of the component httpd. Executing a manipulation can lead to buffer overflow. The attack may be launched remotely. The exploit…
more
has been published and may be used.
Deeper analysisAI
CVE-2026-7100 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the "fromNatlimitof" function within the "/goform/Natlimit" file of the httpd component. Published on 2026-04-27, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely over the network by an attacker with low privileges, requiring low attack complexity and no user interaction. Successful exploitation triggers a buffer overflow, resulting in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution or system compromise.
References indicate that an exploit has been publicly disclosed, including a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_138/README.md. Additional details are available in VulDB advisories (https://vuldb.com/vuln/359675 and https://vuldb.com/submit/798473), with CTI at https://vuldb.com/vuln/359675/cti. Practitioners should check the Tenda vendor site (https://www.tenda.com.cn/) for any patches or mitigation guidance.
The published exploit may be actively used, heightening risk for unpatched Tenda F456 devices.
Details
- CWE(s)