CVE-2026-7098
Published: 27 April 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-7098 is a buffer overflow vulnerability in the Tenda F456 router running firmware version 1.0.0.5. The issue affects the fromDhcpListClient function within the /goform/DhcpListClient endpoint of the httpd component. By manipulating the "page" argument, an attacker can trigger the overflow remotely, as publicly disclosed in exploit details.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low complexity and requiring only low privileges, such as those of an authenticated user. Exploitation could allow an attacker to achieve high-impact confidentiality, integrity, and availability violations, potentially leading to remote code execution or full device compromise on affected routers.
Advisories from VulDB and related sources, including a GitHub proof-of-concept, detail the issue but do not specify patches in the provided information. Security practitioners should consult the vendor site at https://www.tenda.com.cn/ and references such as https://vuldb.com/vuln/359673 for mitigation guidance, firmware updates, or workarounds. The exploit is publicly available, increasing the risk of active use.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in router's web management interface (/goform/DhcpListClient endpoint in httpd), remotely exploitable over network with low privileges (PR:L) leading to RCE and full compromise, directly enables exploitation of a public-facing application.