CVE-2026-7100
Published: 27 April 2026
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2026-7100 is a buffer overflow vulnerability (CWE-119, CWE-120) affecting the Tenda F456 router on firmware version 1.0.0.5. The flaw exists in the "fromNatlimitof" function within the "/goform/Natlimit" file of the httpd component. Published on 2026-04-27, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely over the network by an attacker with low privileges, requiring low attack complexity and no user interaction. Successful exploitation triggers a buffer overflow, resulting in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution or system compromise.
References indicate that an exploit has been publicly disclosed, including a GitHub repository at https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_138/README.md. Additional details are available in VulDB advisories (https://vuldb.com/vuln/359675 and https://vuldb.com/submit/798473), with CTI at https://vuldb.com/vuln/359675/cti. Practitioners should check the Tenda vendor site (https://www.tenda.com.cn/) for any patches or mitigation guidance.
The published exploit may be actively used, heightening risk for unpatched Tenda F456 devices.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Buffer overflow in the router's httpd web component enables remote exploitation of a public-facing application (T1190) and privilege escalation from low-privilege access to arbitrary code execution and system compromise (T1068).