CVE-2026-4254
Published: 16 March 2026
Summary
CVE-2026-4254 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws like the stack-based buffer overflow in the Tenda AC8 HTTP endpoint by applying vendor patches or firmware updates.
SI-10 mandates validation of HTTP inputs such as the local_2c argument to prevent stack-based buffer overflows in the doSystemCmd function.
SI-16 implements memory protections like stack canaries and ASLR to mitigate remote exploitation of the buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-4254 is a remotely exploitable buffer overflow in the HTTP endpoint (/goform/SysToolChangePwd) of a public-facing Tenda router, enabling unauthenticated attackers to achieve RCE, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
A weakness has been identified in Tenda AC8 up to 16.03.50.11. This vulnerability affects the function doSystemCmd of the file /goform/SysToolChangePwd of the component HTTP Endpoint. This manipulation of the argument local_2c causes stack-based buffer overflow. The attack can be…
more
initiated remotely. The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-4254 is a stack-based buffer overflow vulnerability affecting Tenda AC8 router firmware versions up to 16.03.50.11. The flaw exists in the doSystemCmd function of the /goform/SysToolChangePwd component within the HTTP endpoint, where manipulation of the local_2c argument triggers the overflow. It is classified under CWEs 119, 121, and 787.
The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding a CVSS v3.1 base score of 9.8.
Advisories and reports are documented on VulDB (ctiid.351212, id.351212, submit.771773) and a GitHub repository detailing the CVE, including a publicly available exploit. The Tenda manufacturer's site (tenda.com.cn) is referenced, though specific patch details are not outlined in the disclosures.
The exploit has been made publicly available, heightening the potential for real-world attacks on vulnerable devices.
Details
- CWE(s)