Cyber Resilience

CVE-2026-4493

High

Published: 20 March 2026

Published
20 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4493 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Com (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4493 is a stack-based buffer overflow vulnerability affecting the Tenda A18 Pro router on firmware version 02.03.02.28. The flaw exists in the function sub_423B50 within the file /goform/setMacFilterCfg of the MAC Filtering Configuration Endpoint component. It is triggered by manipulating the deviceList argument, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. Attackers with low privileges (PR:L) can exploit it remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution. A public exploit has been disclosed.

Advisories and further details are available in referenced sources, including a GitHub issue at https://github.com/lilukun337/cve/issues/5 and VulDB entries at https://vuldb.com/?ctiid.352019, https://vuldb.com/?id.352019, and https://vuldb.com/?submit.773727, along with the vendor site at https://www.tenda.com.cn/. No specific patch or mitigation details are provided in the core vulnerability data.

EU & UK References

Vulnerability details

A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impacted element is the function sub_423B50 of the file /goform/setMacFilterCfg of the component MAC Filtering Configuration Endpoint. Executing a manipulation of the argument deviceList can lead to stack-based buffer overflow.…

more

The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow RCE in public-facing router web endpoint (/goform/setMacFilterCfg) with PR:L to full compromise directly enables T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3729Shared CWE-119, CWE-121
CVE-2026-4489Shared CWE-119, CWE-121
CVE-2026-6133Shared CWE-119, CWE-121
CVE-2026-4553Shared CWE-119, CWE-121
CVE-2026-2905Shared CWE-119, CWE-121
CVE-2026-5608Shared CWE-119, CWE-121
CVE-2026-6124Shared CWE-119, CWE-121
CVE-2026-2928Shared CWE-119, CWE-121
CVE-2026-2853Shared CWE-119, CWE-121
CVE-2026-2885Shared CWE-119, CWE-121

Affected Assets

Com
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the stack buffer overflow by enforcing validation of the deviceList argument in the MAC filtering endpoint to restrict operations within memory bounds.

prevent

Implements memory safeguards such as stack canaries, ASLR, and DEP to block unauthorized code execution from the exploited buffer overflow.

prevent

Ensures timely identification, reporting, and patching of the buffer overflow flaw in the sub_423B50 function, eliminating the vulnerability.

References