How is CVE-2026-11557 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network through the web management interface, so the attacker must be able to reach the device's HTTP service remotely. Authentication (required): The attack requires a low-privilege account on the web management interface; any standard user credential is sufficient. Victim interaction (not-required): The attacker can trigger the overflow without any action from another user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-11557?

The attacker reads confidential data stored or processed by the device, including any credentials, session tokens, or configuration secrets accessible in router memory. The attacker modifies device configuration or persisted state, enabling traffic redirection, NAT rule tampering, or backdoor insertion. The attacker crashes the affected web management process or the device itself, disrupting routing and network availability for all hosts behind the router.

Back to search

HIGHCVE-2026-11557Published 2026-06-08Modified 2026-06-08CNA VulDB

CVE-2026-11557: Tenda F451 Web Management Natlimit fromNatlimit stack-based overflow

A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the Tenda F451 router's web management interface, specifically in the fromNatlimit function at /goform/Natlimit. An attacker with a low-privilege account can reach this endpoint over the network and trigger the overflow by manipulating the page argument, requiring no interaction from any other user. Successful exploitation gives the attacker full read access to confidential data, the ability to modify system state, and the ability to crash or destabilize the device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-11557 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Tenda F451 firmware components or base images derived from affected versions.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS v4.0 8.7 (High) and weighting it against each environment's compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

No upstream fix version has been published for CVE-2026-11557; HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Tenda publishes a corrected firmware version. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network through the web management interface, so the attacker must be able to reach the device's HTTP service remotely.
AuthenticationRequired
The attack requires a low-privilege account on the web management interface; any standard user credential is sufficient.
Victim interactionNot required
The attacker can trigger the overflow without any action from another user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

Blast Radius

The attacker reads confidential data stored or processed by the device, including any credentials, session tokens, or configuration secrets accessible in router memory.
The attacker modifies device configuration or persisted state, enabling traffic redirection, NAT rule tampering, or backdoor insertion.
The attacker crashes the affected web management process or the device itself, disrupting routing and network availability for all hosts behind the router.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-11557, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Tenda publishes a corrected version. For customers who opt into auto-remediation, that rebuild will include a regression-test run and an opened PR against affected workloads with no manual steps required. In the interim, compensating controls worth considering include network-policy isolation of the router's web management interface (restrict access to a dedicated management VLAN or specific source IPs), egress filtering to limit lateral movement if the device is compromised, and disabling remote management if the feature is not operationally required. HarborGuard will surface any new advisory updates or vendor patches as soon as they appear in upstream feeds.

See how HarborGuard automates this

Affected packages

Tenda / F451
1.0.0.7 · 1.0.0.9

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified