Platform
tenda
Component
tenda
Fixed in
1.0.1
A critical security vulnerability, CVE-2026-6134, has been identified in the Tenda F451 router. This flaw is a stack-based buffer overflow affecting versions 1.0.0 through 1.0.0.7cnsvn7958. Successful exploitation allows remote attackers to manipulate the system, potentially leading to denial of service or even arbitrary code execution. A public exploit is already available, increasing the risk of immediate attacks.
The stack-based buffer overflow vulnerability in the Tenda F451 allows attackers to send specially crafted requests to the /goform/qossetting endpoint, manipulating the qos argument. This manipulation can overwrite critical memory regions on the router, leading to a crash or, more seriously, allowing the attacker to inject and execute malicious code. Given the router's role as a network gateway, a successful exploit could provide an attacker with access to the internal network, enabling them to intercept traffic, steal sensitive data, or launch further attacks against connected devices. The availability of a public exploit significantly elevates the risk, as it lowers the barrier to entry for malicious actors.
CVE-2026-6134 is a high-risk vulnerability due to the availability of a public proof-of-concept exploit. The vulnerability was publicly disclosed on 2026-04-12. The EPSS score is likely to be medium to high, reflecting the ease of exploitation and potential impact. Monitor security advisories from Tenda for updates and patch releases. This vulnerability highlights the importance of promptly applying security updates to network devices.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6134 is to upgrade the Tenda F451 router to a firmware version that addresses the buffer overflow vulnerability. Unfortunately, a fixed firmware version is not yet specified. Until a patch is available, consider implementing temporary workarounds such as restricting access to the /goform/qossetting endpoint using a firewall or access control list (ACL). Monitoring network traffic for unusual patterns or connections to suspicious IP addresses can also help detect potential exploitation attempts. After applying any mitigation, verify its effectiveness by attempting to reproduce the vulnerability with a safe test payload.
Update the firmware of your Tenda F451 device to a patched version. Refer to the official Tenda website or product documentation for instructions on how to update the firmware. The update will fix the stack-based buffer overflow vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6134 is a critical buffer overflow vulnerability in the Tenda F451 router, allowing remote attackers to potentially execute code. It affects versions 1.0.0–1.0.0.7cnsvn7958 and has a CVSS score of 8.8 (HIGH).
You are affected if you are using a Tenda F451 router running firmware versions 1.0.0 through 1.0.0.7cnsvn7958. Check your router's firmware version and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched firmware version from Tenda. Until a patch is released, restrict access to the /goform/qossetting endpoint and monitor network traffic.
Yes, a public proof-of-concept exploit is available, indicating a high probability of active exploitation. Immediate action is recommended.
Refer to Tenda's official website and security advisories for updates and patch releases related to CVE-2026-6134. Monitor security news sources for announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.