Tenda F456 Router Faces High-Severity Stack Buffer Overflow

The National Vulnerability Database (NVD) recently disclosed CVE-2026-6200, a high-severity vulnerability impacting the Tenda F456 router, specifically version 1.0.0.5. This isn’t just a theoretical flaw; it’s a stack-based buffer overflow stemming from improper handling of the menufacturer/Go argument within the formwebtypelibrary function of the /goform/webtypelibrary file. The NVD assigned it a CVSS score of 8.8 (HIGH), which should immediately grab your attention.

What makes this particularly nasty is the attack vector: it’s remotely exploitable. An attacker doesn’t need physical access to the device or even to be on the local network. They can trigger this overflow across the wire. Even worse, the NVD notes that the exploit has been publicly disclosed, meaning it’s likely already in the wild or easily weaponized by threat actors looking for low-hanging fruit. This isn’t a zero-day that’s still under wraps; it’s a known quantity.

From a technical perspective, this falls under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). These are classic memory corruption issues that often lead to arbitrary code execution. Given the remote exploitability and public disclosure, any unpatched Tenda F456 routers are sitting ducks for compromise.