CVE-2026-4490
Published: 20 March 2026
Summary
CVE-2026-4490 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-4490 is a stack-based buffer overflow vulnerability affecting the Tenda A18 Pro router on firmware version 02.03.02.28. The flaw resides in the setSchedWifi function of the /goform/openSchedWifi file and is linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Published on 2026-03-20, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to remote exploitability.
An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation triggers the buffer overflow, enabling high-impact consequences including unauthorized access to sensitive data, modification of system integrity, and denial of service, with potential for full remote code execution.
Advisories and further details are available via VulDB entries (ctiid.352016, id.352016, submit.773670) and the Tenda website (tenda.com.cn). An exploit has been published on GitHub (github.com/lilukun337/cve/issues/2) and may be used in attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13736
Vulnerability details
A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. This manipulation causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may…
more
be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in router web form (/goform/openSchedWifi) allows remote authenticated RCE from low privileges, directly enabling T1190 (exploit public-facing application) for initial/remote access and T1068 (exploitation for privilege escalation) to achieve full device control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, prioritization, and remediation of the stack-based buffer overflow flaw in the Tenda A18 Pro firmware via patching.
Mandates validation and sanitization of inputs to the setSchedWifi function to block malformed data causing the buffer overflow.
Implements memory protections such as stack canaries and address space layout randomization to mitigate exploitation of the stack-based buffer overflow.