CVE-2026-6120 Overview
CVE-2026-6120 is a stack-based buffer overflow vulnerability in the Tenda F451 router running firmware version 1.0.0.7. The flaw resides in the fromDhcpListClient function within the /goform/DhcpListClient endpoint of the device's httpd web server. Attackers manipulate the page argument to overflow a fixed-size stack buffer. The vulnerability is remotely exploitable over the network and a public exploit has been disclosed. The weakness is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Remote attackers with low privileges can trigger memory corruption in the router's HTTP daemon, leading to denial of service or potential arbitrary code execution on the device.
Affected Products
- Tenda F451 router (hardware)
- Tenda F451 Firmware version 1.0.0.7
- httpd component handling /goform/DhcpListClient requests
Discovery Timeline
- 2026-04-12 - CVE-2026-6120 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-6120
Vulnerability Analysis
The vulnerability exists in the fromDhcpListClient handler of the embedded httpd web server on the Tenda F451. The handler processes HTTP requests submitted to /goform/DhcpListClient and reads the page parameter from the request. The function copies this attacker-controlled value into a stack-allocated buffer without validating its length, producing a classic stack-based buffer overflow described by [CWE-119].
Because the overflow occurs on the stack, an attacker can overwrite saved registers, return addresses, and adjacent local variables. On MIPS or ARM-based SOHO routers like the F451, this typically leads to control of the program counter once enough bytes are written past the destination buffer. The public disclosure of the exploit increases the likelihood of opportunistic scanning and weaponization against exposed devices.
Root Cause
The root cause is missing bounds checking on the page argument before copying it into a fixed-size stack buffer inside fromDhcpListClient. The handler trusts user-supplied HTTP parameters and does not enforce a maximum length, violating safe string-copy practices for embedded C code.
Attack Vector
The attack vector is network-based. An authenticated attacker with low privileges sends a crafted HTTP request to /goform/DhcpListClient containing an oversized page parameter. The malformed request triggers the stack overflow inside the httpd process. No user interaction is required, and attack complexity is low. Public exploit code makes reproduction straightforward. See the GitHub Issue Tracker Entry and the VulDB #356983 advisory for technical details.
Detection Methods for CVE-2026-6120
Indicators of Compromise
- HTTP POST or GET requests to /goform/DhcpListClient containing abnormally long page parameter values.
- Unexpected restarts or crashes of the httpd process on the Tenda F451 device.
- Outbound connections from the router to unknown hosts following inbound requests to the affected endpoint.
Detection Strategies
- Inspect web server and firewall logs for requests targeting /goform/DhcpListClient with parameter lengths exceeding expected values.
- Deploy network IDS signatures that flag oversized page parameters in HTTP traffic destined for Tenda router management interfaces.
- Correlate httpd crash events with preceding inbound HTTP requests to identify exploitation attempts.
Monitoring Recommendations
- Monitor administrative interfaces of SOHO routers for unauthorized inbound traffic from WAN-facing addresses.
- Alert on repeated failed or anomalous requests to /goform/ endpoints, which are commonly abused in Tenda vulnerabilities.
- Track EPSS scoring and public exploit availability for this CVE through threat intelligence feeds to adjust detection priority.
How to Mitigate CVE-2026-6120
Immediate Actions Required
- Restrict access to the router's web management interface to trusted internal addresses and disable WAN-side administration.
- Change default and weak administrative credentials to limit who can authenticate and reach the vulnerable handler.
- Place affected Tenda F451 devices behind a network segmentation boundary until a vendor fix is available.
Patch Information
At the time of publication, no vendor patch from Tenda has been referenced in the CVE record for firmware version 1.0.0.7. Administrators should monitor the Tenda Official Website for firmware updates addressing the fromDhcpListClient handler and apply them as soon as they are released.
Workarounds
- Disable remote management on the WAN interface to block external exploitation paths.
- Apply access control lists on upstream firewalls to limit HTTP access to the router management port.
- Replace end-of-life or unpatched Tenda F451 devices with a supported model if no firmware update is published.
# Example: block external access to the router management interface
iptables -A INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i wan0 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
