CVE-2026-7151
Published: 27 April 2026
Summary
CVE-2026-7151 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Hg3 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates identification, reporting, and timely patching of flaws like the stack buffer overflow in formUploadConfig, directly eliminating this CVE.
SI-10 requires validation of information inputs such as the destNet argument to prevent stack-based buffer overflows from manipulated data.
SI-16 implements memory protections like stack canaries and DEP to block unauthorized code execution from stack buffer overflow exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack-based buffer overflow in router web interface (formUploadConfig) enables exploitation of public-facing applications (T1190), remote services (T1210), and privilege escalation from low privileges to high C/I/A impact (T1068).
NVD Description
A vulnerability was determined in Tenda HG3 2.0. Impacted is the function formUploadConfig of the file /boaform/formIPv6Routing. This manipulation of the argument destNet causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly…
more
disclosed and may be utilized.
Deeper analysisAI
CVE-2026-7151 is a stack-based buffer overflow vulnerability affecting the Tenda HG3 2.0 router. The flaw resides in the formUploadConfig function of the /boaform/formIPv6Routing file, where manipulation of the destNet argument triggers the overflow. This issue is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation leads to high impacts on confidentiality, integrity, and availability, as reflected in the CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The exploit has been publicly disclosed and may be utilized by threat actors.
Advisories and further details are available via VulDB entries at https://vuldb.com/vuln/359750 and related pages, as well as the vendor site at https://www.tenda.com.cn/. Security practitioners should review these references for recommended mitigations, patches, or configuration guidance.
Details
- CWE(s)