Plattform
tenda
Komponente
tenda
Behoben in
1.0.1
A critical security vulnerability, CVE-2026-6134, has been identified in the Tenda F451 router. This flaw is a stack-based buffer overflow affecting versions 1.0.0 through 1.0.0.7cnsvn7958. Successful exploitation allows remote attackers to manipulate the system, potentially leading to denial of service or even arbitrary code execution. A public exploit is already available, increasing the risk of immediate attacks.
The stack-based buffer overflow vulnerability in the Tenda F451 allows attackers to send specially crafted requests to the /goform/qossetting endpoint, manipulating the qos argument. This manipulation can overwrite critical memory regions on the router, leading to a crash or, more seriously, allowing the attacker to inject and execute malicious code. Given the router's role as a network gateway, a successful exploit could provide an attacker with access to the internal network, enabling them to intercept traffic, steal sensitive data, or launch further attacks against connected devices. The availability of a public exploit significantly elevates the risk, as it lowers the barrier to entry for malicious actors.
CVE-2026-6134 is a high-risk vulnerability due to the availability of a public proof-of-concept exploit. The vulnerability was publicly disclosed on 2026-04-12. The EPSS score is likely to be medium to high, reflecting the ease of exploitation and potential impact. Monitor security advisories from Tenda for updates and patch releases. This vulnerability highlights the importance of promptly applying security updates to network devices.
Small businesses and home users relying on Tenda F451 routers are at risk. Shared hosting environments utilizing these routers as gateway devices are particularly vulnerable, as a compromise of the router could expose multiple tenants to attack. Users with older, unpatched firmware versions are most susceptible.
• linux / server:
journalctl -f -u tenda_qos | grep -i overflow• generic web:
curl -v https://<router_ip>/goform/qossetting?qos=AAAAAAAAAAAAAAAAAAAAAAA | grep -i 'stack overflow'disclosure
poc
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-6134 is to upgrade the Tenda F451 router to a firmware version that addresses the buffer overflow vulnerability. Unfortunately, a fixed firmware version is not yet specified. Until a patch is available, consider implementing temporary workarounds such as restricting access to the /goform/qossetting endpoint using a firewall or access control list (ACL). Monitoring network traffic for unusual patterns or connections to suspicious IP addresses can also help detect potential exploitation attempts. After applying any mitigation, verify its effectiveness by attempting to reproduce the vulnerability with a safe test payload.
Actualice el firmware de su dispositivo Tenda F451 a una versión corregida. Consulte el sitio web oficial de Tenda o la documentación del producto para obtener instrucciones sobre cómo actualizar el firmware. La actualización solucionará la vulnerabilidad de desbordamiento de búfer en la pila.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-6134 is a critical buffer overflow vulnerability in the Tenda F451 router, allowing remote attackers to potentially execute code. It affects versions 1.0.0–1.0.0.7cnsvn7958 and has a CVSS score of 8.8 (HIGH).
You are affected if you are using a Tenda F451 router running firmware versions 1.0.0 through 1.0.0.7cnsvn7958. Check your router's firmware version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched firmware version from Tenda. Until a patch is released, restrict access to the /goform/qossetting endpoint and monitor network traffic.
Yes, a public proof-of-concept exploit is available, indicating a high probability of active exploitation. Immediate action is recommended.
Refer to Tenda's official website and security advisories for updates and patch releases related to CVE-2026-6134. Monitor security news sources for announcements.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.