Description
A security vulnerability has been detected in Tenda F456 1.0.0.5. Impacted is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Published: 2026-04-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stack buffer overflow located in the fromDhcpListClient function of the /goform/DhcpListClient HTTP handler in Tenda F456 firmware 1.0.0.5. When an attacker supplies an oversized page parameter, the unmanaged input overwrites adjacent memory, enabling arbitrary code execution on the device. This flaw classifies under CWE‑119 and CWE‑120 and has a CVSS score of 8.7, indicating high severity.

Affected Systems

Only the Tenda F456 router running firmware version 1.0.0.5 is affected. No other Tenda models or firmware versions are listed as vulnerable, and the CWE identifies the flaw as a buffer overflow in a web‑based configuration endpoint.

Risk and Exploitability

The EPSS score is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting the exploitation probability is low at this time. Nevertheless, the flaw can be triggered remotely through the router’s web interface, so an attacker with network access can deliver a malicious payload. The high CVSS score and public disclosure of exploit code call for prompt attention, especially in environments where the router is exposed to the Internet.

Generated by OpenCVE AI on April 28, 2026 at 04:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-supplied firmware update that resolves the buffer overflow.
  • If no patch is yet available, restrict access to the /goform/DhcpListClient endpoint by blocking its HTTP URL, or disable DHCP list client functionality if the device allows it.
  • Place the router behind a firewall and limit management access to trusted internal networks using VLANs or ACLs.

Generated by OpenCVE AI on April 28, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda f456
Vendors & Products Tenda
Tenda f456

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Tenda F456 1.0.0.5. Impacted is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. Such manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.
Title Tenda F456 httpd DhcpListClient fromDhcpListClient buffer overflow
Weaknesses CWE-119
CWE-120
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F456
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-27T12:27:54.591Z

Reserved: 2026-04-26T08:59:51.726Z

Link: CVE-2026-7098

cve-icon Vulnrichment

Updated: 2026-04-27T12:27:50.678Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T09:16:02.213

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-7098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses