CVE-2026-4041
Published: 12 March 2026
Summary
CVE-2026-4041 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda I12 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack-based buffer overflow in vos_strcpy by identifying, patching, or replacing the vulnerable code in /goform/exeCommand.
Requires validation of the cmdinput argument to restrict its length and format, preventing the buffer overflow exploitation.
Implements memory protections such as stack canaries, ASLR, and non-executable stacks to mitigate successful buffer overflow exploitation leading to code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in public web management endpoint (/goform/exeCommand) allows remote low-privileged authenticated attackers to achieve arbitrary code execution on the device, directly mapping to initial access via public-facing application exploitation and privilege escalation to full device control.
NVD Description
A security flaw has been discovered in Tenda i12 1.0.0.6(2204). Impacted is the function vos_strcpy of the file /goform/exeCommand. The manipulation of the argument cmdinput results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been…
more
released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-4041 is a stack-based buffer overflow vulnerability affecting the Tenda i12 router on firmware version 1.0.0.6(2204). The flaw resides in the vos_strcpy function within the /goform/exeCommand file, triggered by manipulation of the cmdinput argument. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121, and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by attackers possessing low privileges, requiring low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially granting attackers control over the affected device through arbitrary code execution.
Advisories referenced include a GitHub issue at https://github.com/Jimi-Lab/cve/issues/1 and multiple VulDB entries (https://vuldb.com/?ctiid.350653, https://vuldb.com/?id.350653, https://vuldb.com/?submit.769462), along with the vendor site at https://www.tenda.com.cn/. An exploit has been publicly released and may be used for attacks, though specific patch or mitigation guidance is not detailed in the available information.
Exploitation in the wild is not confirmed beyond the public availability of the proof-of-concept exploit.
Details
- CWE(s)