CVE-2026-4903
Published: 26 March 2026
Summary
CVE-2026-4903 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac5 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs such as the PPPOEPassword argument in POST requests to prevent stack-based buffer overflows from oversized or malformed data.
SI-2 mandates identification, reporting, and correction of flaws like the buffer overflow in the formQuickIndex function of Tenda AC5 firmware.
SI-16 enforces memory protections such as stack canaries and non-executable stacks to mitigate exploitation of the stack-based buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's remotely accessible web form handler (/goform/QuickIndex) directly enables remote exploitation of a public-facing network device interface, mapping to T1190 for initial access and full device compromise via published exploit.
NVD Description
A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. This manipulation of the argument PPPOEPassword causes stack-based buffer overflow. The attack may be initiated…
more
remotely. The exploit has been published and may be used.
Deeper analysisAI
CVE-2026-4903 is a stack-based buffer overflow vulnerability affecting Tenda AC5 routers running firmware version 15.03.06.47. The issue lies in the formQuickIndex function of the /goform/QuickIndex file within the POST Request Handler component, where manipulation of the PPPOEPassword argument triggers the overflow. Associated CWEs include CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-26.
An attacker with low privileges can exploit this remotely over the network with low attack complexity and no user interaction. Exploitation of the buffer overflow may enable high-impact compromise, including unauthorized access to sensitive data, modification of system integrity, and disruption of availability, potentially leading to full router control.
Advisories detail the issue on VulDB (ctiid.353654, id.353654, submit.777380) and a Notion page with exploit analysis, while the Tenda vendor site (tenda.com.cn) is referenced for potential updates. A public exploit has been published and may be used, heightening exploitation risk.
Details
- CWE(s)