CVE-2026-4492
Published: 20 March 2026
Summary
CVE-2026-4492 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-4492 is a stack-based buffer overflow vulnerability affecting the Tenda A18 Pro router firmware version 02.03.02.28. The flaw exists in the set_qosMib_list function within the /goform/formSetQosBand file, where manipulation of the argument list triggers the overflow. Published on 2026-03-20, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), denoting high severity due to network accessibility, low attack complexity, and no requirement for user interaction. Exploitation requires low privileges, such as an authenticated user account on the device, and can be conducted remotely. Successful attacks could grant high impacts on confidentiality, integrity, and availability, potentially enabling remote code execution.
Advisories and related details are documented on VulDB (ctiid.352018, id.352018, submit.773682) and a GitHub repository (lilukun337/cve/issues/4), where a public exploit is available for potential use. The Tenda vendor website (tenda.com.cn) is referenced for additional information, though specific patch details are not detailed in available sources.
The exploit has been publicly disclosed, increasing the risk of real-world abuse against unpatched Tenda A18 Pro devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13740
Vulnerability details
A vulnerability was found in Tenda A18 Pro 02.03.02.28. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. The attack is possible to be carried out…
more
remotely. The exploit has been made public and could be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in network-accessible router web form (/goform) directly enables remote exploitation of a public-facing application (T1190) from an authenticated low-privilege account, resulting in RCE and high-impact privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through firmware patching directly eliminates the stack-based buffer overflow in the set_qosMib_list function of Tenda A18 Pro 02.03.02.28.
Validating and sanitizing the argument list input to /goform/formSetQosBand prevents the manipulation that triggers the buffer overflow.
Memory protection mechanisms like stack canaries and address space layout randomization mitigate exploitation of the stack-based buffer overflow even if input validation fails.