CVE-2026-4906
Published: 27 March 2026
Summary
CVE-2026-4906 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac5 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of manipulated POST arguments like WANT/WANS in the decodePwd function to prevent stack-based buffer overflows.
Enforces restrictions on input length and types at the POST request handler boundary to block buffer overflow triggers.
Provides memory protections like stack canaries and non-executable stacks to mitigate exploitation of the buffer overflow vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in router web form handler (/goform/WizardHandle) enables remote code execution over the network against a public-facing management interface.
NVD Description
A vulnerability was determined in Tenda AC5 15.03.06.47. The affected element is the function decodePwd of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack…
more
can be executed remotely. The exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-4906 is a stack-based buffer overflow vulnerability affecting the Tenda AC5 router on firmware version 15.03.06.47. The flaw exists in the decodePwd function of the /goform/WizardHandle file within the POST Request Handler component, triggered by manipulating the WANT or WANS arguments in a request.
The vulnerability enables remote exploitation by attackers with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 8.8. It is associated with CWEs 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), 121 (Stack-based Buffer Overflow), and 787 (Out-of-bounds Write).
Advisories and references, including detailed analysis at a Notion site and VulDB entries (ctiid.353657, id.353657, submit.777394), document the issue, with the Tenda vendor site also listed. No specific patch or mitigation steps are detailed in the available information.
The exploit has been publicly disclosed and may be utilized, per the vulnerability description published on 2026-03-27.
Details
- CWE(s)