CVE-2026-1637
Published: 29 January 2026
Summary
CVE-2026-1637 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac21 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the stack-based buffer overflow by requiring validation of inputs to the fromAdvSetMacMtuWan function to prevent improper restriction of operations within memory bounds.
Implements memory protections such as stack canaries, address space layout randomization, and non-executable memory to block exploitation of the buffer overflow for arbitrary code execution.
Ensures timely remediation of the specific vulnerability through firmware patching for Tenda AC21 version 16.03.08.16, addressing the publicly available exploit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the web management interface (/goform/AdvSetMacMtuWan) of Tenda AC21 firmware allows remote authenticated attackers to achieve arbitrary code execution over the network.
NVD Description
A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might…
more
be used.
Deeper analysisAI
CVE-2026-1637 is a stack-based buffer overflow vulnerability affecting Tenda AC21 firmware version 16.03.08.16. The issue resides in the fromAdvSetMacMtuWan function within the /goform/AdvSetMacMtuWan file. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation triggers the buffer overflow, potentially allowing arbitrary code execution and granting high-impact compromise of confidentiality, integrity, and availability on the affected device.
Advisories from VulDB (ctiid.343416, id.343416, submit.740865) and a GitHub issue (LX-LX88/cve/issues/25) detail the vulnerability, confirming remote exploitability. The Tenda vendor website (tenda.com.cn) is referenced for further information, though specific patch details are not outlined in the available data. Security practitioners should monitor these sources for mitigation guidance.
The exploit is publicly available, increasing the risk of active use against unpatched Tenda AC21 devices.
Details
- CWE(s)