CVE-2026-4489
Published: 20 March 2026
Summary
CVE-2026-4489 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-4489 is a stack-based buffer overflow vulnerability in the Tenda A18 Pro router running firmware version 02.03.02.28. The issue resides in the form_fast_setting_wifi_set function within the /goform/fast_setting_wifi_set file. Published on 2026-03-20, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
Remote attackers with low privileges can exploit this vulnerability over the network with low complexity and without user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device. A public exploit is available, increasing the risk of widespread abuse.
Advisories and details are documented in references including a GitHub issue at https://github.com/lilukun337/cve/issues/1 and VulDB entries at https://vuldb.com/?ctiid.352015, https://vuldb.com/?id.352015, and https://vuldb.com/?submit.773619, with the vendor site at https://www.tenda.com.cn/. No specific patch or mitigation details are outlined in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13729
Vulnerability details
A vulnerability was detected in Tenda A18 Pro 02.03.02.28. This vulnerability affects the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. The manipulation results in stack-based buffer overflow. The attack may be launched remotely. The exploit is now public and may be…
more
used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in publicly exposed web form (/goform/fast_setting_wifi_set) on network device directly enables remote exploitation of a public-facing application (T1190) and arbitrary code execution from low-privileged access, facilitating privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of flaws such as the stack-based buffer overflow in the form_fast_setting_wifi_set function by applying firmware patches or updates.
SI-10 enforces validation of inputs to the /goform/fast_setting_wifi_set endpoint, directly preventing the buffer overflow exploitation from malformed WiFi setting data.
SI-16 implements memory protections like stack canaries and non-executable stacks to block arbitrary code execution from the stack-based buffer overflow.