CVE-2026-4535
Published: 22 March 2026
Summary
CVE-2026-4535 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the stack-based buffer overflow vulnerability in Tenda FH451 firmware version 1.0.0.9 through patching or updates.
Mandates validation of the GO argument input to the WrlclientSet function to prevent the buffer overflow exploitation.
Provides memory protections such as stack canaries and non-executable stacks to mitigate successful exploitation of the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in router web endpoint (/goform/WrlclientSet) enables remote exploitation of a public-facing application (T1190) by an authenticated low-privilege user, directly resulting in RCE and high-impact privilege escalation (T1068).
NVD Description
A vulnerability has been found in Tenda FH451 1.0.0.9. This vulnerability affects the function WrlclientSet of the file /goform/WrlclientSet. Such manipulation of the argument GO leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been…
more
disclosed to the public and may be used.
Deeper analysisAI
CVE-2026-4535 is a stack-based buffer overflow vulnerability affecting Tenda FH451 routers running firmware version 1.0.0.9. The flaw exists in the WrlclientSet function processed via the /goform/WrlclientSet endpoint, where manipulation of the "GO" argument triggers the overflow. Published on 2026-03-22, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), making it remotely exploitable over the network with low attack complexity and requiring only low privileges, such as those of an authenticated user. Attackers can send crafted requests to the affected endpoint to overflow the stack, potentially achieving high impacts on confidentiality, integrity, and availability, including remote code execution.
Advisories referenced in VulDB entries (ctiid.352323, id.352323, submit.774343) and a GitHub repository detail the vulnerability and confirm public disclosure of an exploit that may be used. The Tenda website is also listed among references, though no specific patch or mitigation details are provided in the available information.
The exploit's public availability heightens the risk for unpatched Tenda FH451 devices.
Details
- CWE(s)