CVE-2026-4553
Published: 22 March 2026
Summary
CVE-2026-4553 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the 'page' argument in the Parameters Handler to prevent stack-based buffer overflows from improper input handling.
Mandates timely identification, reporting, and patching of the specific buffer overflow flaw in Tenda F453 firmware version 1.0.0.3.
Provides memory safeguards such as stack canaries or non-executable stacks to mitigate remote code execution from exploitation of the stack buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the web form handler (/goform/Natlimit) of an internet-exposed router firmware directly enables remote exploitation of a public-facing application (T1190) by an authenticated low-privileged user, resulting in RCE that achieves high-impact privilege escalation on the device (T1068).
NVD Description
A vulnerability was identified in Tenda F453 1.0.0.3. Impacted is the function fromNatlimit of the file /goform/Natlimit of the component Parameters Handler. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack…
more
remotely. The exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-4553 is a stack-based buffer overflow vulnerability in Tenda F453 firmware version 1.0.0.3. The flaw affects the fromNatlimit function in the /goform/Natlimit file of the Parameters Handler component, triggered by manipulation of the "page" argument. Published on 2026-03-22, it is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. An attacker with low privileges can exploit it remotely over the network with low complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability, such as remote code execution.
Advisories and references, including a GitHub repository at https://github.com/Litengzheng/vul_db/blob/main/F453/vul_88/README.md containing a publicly available exploit, VulDB entries (https://vuldb.com/?ctiid.352380, https://vuldb.com/?id.352380, https://vuldb.com/?submit.774931), and the Tenda website (https://www.tenda.com.cn/), provide further details. Practitioners should review these for vendor-specific patches or workarounds.
The exploit is publicly available and might be used in attacks.
Details
- CWE(s)