CVE-2026-4493
Published: 20 March 2026
Summary
CVE-2026-4493 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-4493 is a stack-based buffer overflow vulnerability affecting the Tenda A18 Pro router on firmware version 02.03.02.28. The flaw exists in the function sub_423B50 within the file /goform/setMacFilterCfg of the MAC Filtering Configuration Endpoint component. It is triggered by manipulating the deviceList argument, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. Attackers with low privileges (PR:L) can exploit it remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution. A public exploit has been disclosed.
Advisories and further details are available in referenced sources, including a GitHub issue at https://github.com/lilukun337/cve/issues/5 and VulDB entries at https://vuldb.com/?ctiid.352019, https://vuldb.com/?id.352019, and https://vuldb.com/?submit.773727, along with the vendor site at https://www.tenda.com.cn/. No specific patch or mitigation details are provided in the core vulnerability data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13754
Vulnerability details
A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impacted element is the function sub_423B50 of the file /goform/setMacFilterCfg of the component MAC Filtering Configuration Endpoint. Executing a manipulation of the argument deviceList can lead to stack-based buffer overflow.…
more
The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow RCE in public-facing router web endpoint (/goform/setMacFilterCfg) with PR:L to full compromise directly enables T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents the stack buffer overflow by enforcing validation of the deviceList argument in the MAC filtering endpoint to restrict operations within memory bounds.
Implements memory safeguards such as stack canaries, ASLR, and DEP to block unauthorized code execution from the exploited buffer overflow.
Ensures timely identification, reporting, and patching of the buffer overflow flaw in the sub_423B50 function, eliminating the vulnerability.