CVE-2026-4902

HighPublic PoC

Published: 26 March 2026

Published

26 March 2026

Modified

31 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4902 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac5 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of the 'page' argument in POST requests to /goform/addressNat to prevent stack-based buffer overflow exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the known buffer overflow flaw in Tenda AC5 firmware 15.03.06.47 via vendor patches.

SI-16 Memory Protection good match

prevent

Deploys memory protection mechanisms like stack canaries and ASLR to mitigate exploitation of the stack-based buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the router's public web interface (/goform/addressNat) enables remote exploitation of a public-facing application (T1190) by an authenticated low-privileged user, directly resulting in arbitrary code execution and high-impact privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was detected in Tenda AC5 15.03.06.47. This affects the function fromAddressNat of the file /goform/addressNat of the component POST Request Handler. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely.…

The exploit is now public and may be used.

Deeper analysisAI

CVE-2026-4902 is a stack-based buffer overflow vulnerability affecting the Tenda AC5 router on firmware version 15.03.06.47. The flaw exists in the fromAddressNat function of the /goform/addressNat file within the POST Request Handler component, where manipulation of the "page" argument triggers the overflow. Published on 2026-03-26, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWEs-119, CWE-121, and CWE-787.

The vulnerability enables remote exploitation over the network. Attackers require low privileges, such as those of an authenticated user, and can launch the attack with low complexity and no user interaction. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially leading to arbitrary code execution on the affected device.

Advisories and further details are documented at https://lavender-bicycle-a5a.notion.site/Tenda_AC5_addressNat_page-32053a41781f8017938dda66f0193ebd?source=copy_link and VulDB entries including https://vuldb.com/?ctiid.353653, https://vuldb.com/?id.353653, and https://vuldb.com/?submit.777378. Practitioners should consult the vendor site at https://www.tenda.com.cn/ for any patches or firmware updates. The exploit is public and may be used in attacks.

Notable context includes the public availability of the exploit, increasing the risk for unpatched Tenda AC5 devices exposed to the internet.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

ac5 firmware

15.03.06.47

CVEs Like This One

CVE-2026-4904Same product: Tenda Ac5

CVE-2026-4905Same product: Tenda Ac5

CVE-2026-4903Same product: Tenda Ac5

CVE-2026-4906Same product: Tenda Ac5

CVE-2026-4008Same vendor: Tenda

CVE-2026-4043Same vendor: Tenda

CVE-2026-3971Same vendor: Tenda

CVE-2026-4042Same vendor: Tenda

CVE-2026-3970Same vendor: Tenda

CVE-2026-4975Same vendor: Tenda

References

https://lavender-bicycle-a5a.notion.site/Tenda_AC5_addressNat_page-32053a41781f8017938dda66f0193ebd?source=copy_link
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.353653
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.353653
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.777378
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com