Cve-2026-6631 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-6631/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 20 Apr 2026 11:16:19 +0000Tenda F451 Router Buffer Overflow Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/Mon, 20 Apr 2026 11:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.CVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the fromwebExcptypemanFilter function within the /goform/webExcptypemanFilter component of the router’s httpd web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long ‘page’ parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.

Attack Chain

  1. Attacker identifies a vulnerable Tenda F451 router exposed to the internet.
  2. Attacker crafts a malicious HTTP GET or POST request targeting /goform/webExcptypemanFilter.
  3. The crafted request includes the page parameter with a payload exceeding the buffer size allocated for it.
  4. The httpd server processes the request and passes the page parameter to the vulnerable fromwebExcptypemanFilter function.
  5. Due to the lack of proper bounds checking, the overly long page parameter overwrites adjacent memory regions on the stack.
  6. The attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.
  7. The fromwebExcptypemanFilter function completes execution and attempts to return, jumping to the attacker-controlled address.
  8. The attacker’s malicious code executes with the privileges of the httpd server, potentially gaining full control of the router.

Impact

Successful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.

Recommendation

  • Apply available firmware updates from Tenda to patch CVE-2026-6631.
  • Monitor web server logs for suspicious requests to /goform/webExcptypemanFilter with unusually long page parameters, using the Sigma rule DetectTendaF451BufferOverflow.
  • Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.
  • Consider deploying the Sigma rule DetectTendaF451SuspiciousProcess to identify unexpected processes spawned by the httpd daemon.
  • If patching is not immediately feasible, consider restricting access to the router’s web interface from the public internet to mitigate the risk of remote exploitation.
]]>criticaladvisorytendarouterbuffer_overflowcve-2026-6631webserver