Cyber Resilience

CVE-2026-4492

High

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0064 46.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4492 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4492 is a stack-based buffer overflow vulnerability affecting the Tenda A18 Pro router firmware version 02.03.02.28. The flaw exists in the set_qosMib_list function within the /goform/formSetQosBand file, where manipulation of the argument list triggers the overflow. Published on 2026-03-20, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), denoting high severity due to network accessibility, low attack complexity, and no requirement for user interaction. Exploitation requires low privileges, such as an authenticated user account on the device, and can be conducted remotely. Successful attacks could grant high impacts on confidentiality, integrity, and availability, potentially enabling remote code execution.

Advisories and related details are documented on VulDB (ctiid.352018, id.352018, submit.773682) and a GitHub repository (lilukun337/cve/issues/4), where a public exploit is available for potential use. The Tenda vendor website (tenda.com.cn) is referenced for additional information, though specific patch details are not detailed in available sources.

The exploit has been publicly disclosed, increasing the risk of real-world abuse against unpatched Tenda A18 Pro devices.

EU & UK References

Vulnerability details

A vulnerability was found in Tenda A18 Pro 02.03.02.28. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. The attack is possible to be carried out…

more

remotely. The exploit has been made public and could be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Stack-based buffer overflow in network-accessible router web form (/goform) directly enables remote exploitation of a public-facing application (T1190) from an authenticated low-privilege account, resulting in RCE and high-impact privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3729Shared CWE-119, CWE-121
CVE-2026-4489Shared CWE-119, CWE-121
CVE-2026-6133Shared CWE-119, CWE-121
CVE-2026-4553Shared CWE-119, CWE-121
CVE-2026-2905Shared CWE-119, CWE-121
CVE-2026-5608Shared CWE-119, CWE-121
CVE-2026-6124Shared CWE-119, CWE-121
CVE-2026-2928Shared CWE-119, CWE-121
CVE-2026-2853Shared CWE-119, CWE-121
CVE-2026-2885Shared CWE-119, CWE-121

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Timely remediation through firmware patching directly eliminates the stack-based buffer overflow in the set_qosMib_list function of Tenda A18 Pro 02.03.02.28.

prevent

Validating and sanitizing the argument list input to /goform/formSetQosBand prevents the manipulation that triggers the buffer overflow.

prevent

Memory protection mechanisms like stack canaries and address space layout randomization mitigate exploitation of the stack-based buffer overflow even if input validation fails.

References