CVE-2026-7099
Published: 27 April 2026
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2026-7099 is a buffer overflow vulnerability affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the formQuickIndex function of the /goform/QuickIndex file within the httpd component, where manipulation of the mit_linktype argument triggers the overflow. It is classified under CWE-119 and CWE-120, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing low privileges, such as authenticated users, with low attack complexity and no requirement for user interaction. Successful exploitation can result in high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution on the device.
VulDB advisories document the issue and note that a public exploit is available on GitHub, which may be used by attackers. Practitioners should consult the Tenda website and referenced VulDB pages for any vendor-provided patches or mitigation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in router's httpd web interface enables remote code execution from low-privileged access, directly facilitating Exploit Public-Facing Application and Exploitation for Privilege Escalation.