Cyber Resilience

CVE-2026-4490

High

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 42.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4490 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4490 is a stack-based buffer overflow vulnerability affecting the Tenda A18 Pro router on firmware version 02.03.02.28. The flaw resides in the setSchedWifi function of the /goform/openSchedWifi file and is linked to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). Published on 2026-03-20, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to remote exploitability.

An attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and without requiring user interaction. Exploitation triggers the buffer overflow, enabling high-impact consequences including unauthorized access to sensitive data, modification of system integrity, and denial of service, with potential for full remote code execution.

Advisories and further details are available via VulDB entries (ctiid.352016, id.352016, submit.773670) and the Tenda website (tenda.com.cn). An exploit has been published on GitHub (github.com/lilukun337/cve/issues/2) and may be used in attacks.

EU & UK References

Vulnerability details

A flaw has been found in Tenda A18 Pro 02.03.02.28. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. This manipulation causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may…

more

be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Stack-based buffer overflow in router web form (/goform/openSchedWifi) allows remote authenticated RCE from low privileges, directly enabling T1190 (exploit public-facing application) for initial/remote access and T1068 (exploitation for privilege escalation) to achieve full device control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3729Shared CWE-119, CWE-121
CVE-2026-4489Shared CWE-119, CWE-121
CVE-2026-6133Shared CWE-119, CWE-121
CVE-2026-4553Shared CWE-119, CWE-121
CVE-2026-2905Shared CWE-119, CWE-121
CVE-2026-5608Shared CWE-119, CWE-121
CVE-2026-6124Shared CWE-119, CWE-121
CVE-2026-2928Shared CWE-119, CWE-121
CVE-2026-2853Shared CWE-119, CWE-121
CVE-2026-2885Shared CWE-119, CWE-121

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, prioritization, and remediation of the stack-based buffer overflow flaw in the Tenda A18 Pro firmware via patching.

prevent

Mandates validation and sanitization of inputs to the setSchedWifi function to block malformed data causing the buffer overflow.

prevent

Implements memory protections such as stack canaries and address space layout randomization to mitigate exploitation of the stack-based buffer overflow.

References