{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6631/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","cve-2026-6631","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e component of the router\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long \u0026lsquo;page\u0026rsquo; parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F451 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET or POST request targeting \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epage\u003c/code\u003e parameter with a payload exceeding the buffer size allocated for it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e server processes the request and passes the \u003ccode\u003epage\u003c/code\u003e parameter to the vulnerable \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper bounds checking, the overly long \u003ccode\u003epage\u003c/code\u003e parameter overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function completes execution and attempts to return, jumping to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e server, potentially gaining full control of the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from Tenda to patch CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the Sigma rule \u003ccode\u003eDetectTendaF451BufferOverflow\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eConsider deploying the Sigma rule \u003ccode\u003eDetectTendaF451SuspiciousProcess\u003c/code\u003e to identify unexpected processes spawned by the httpd daemon.\u003c/li\u003e\n\u003cli\u003eIf patching is not immediately feasible, consider restricting access to the router\u0026rsquo;s web interface from the public internet to mitigate the risk of remote exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T11:16:19Z","date_published":"2026-04-20T11:16:19Z","id":"/briefs/2026-04-tenda-f451-buffer-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.","title":"Tenda F451 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6631","version":"https://jsonfeed.org/version/1.1"}