CVE-2026-4960
Published: 27 March 2026
Summary
CVE-2026-4960 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely scanning, assessment, and remediation of known flaws like this stack-based buffer overflow via patching the Tenda AC6 firmware.
Mandates validation of POST request inputs such as the WANT/WANS arguments to prevent the buffer overflow manipulation.
Implements memory safeguards like stack canaries, ASLR, and DEP to block unauthorized code execution from stack buffer overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in the router's network-accessible web POST handler (/goform/WizardHandle) enables remote arbitrary code execution with low privileges and no user interaction, directly matching exploitation of a public-facing application.
NVD Description
A vulnerability was determined in Tenda AC6 15.03.05.16. Affected is the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. Executing a manipulation of the argument WANT/WANS can lead to stack-based buffer overflow. The attack can be…
more
executed remotely. The exploit has been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-4960 is a stack-based buffer overflow vulnerability affecting Tenda AC6 router version 15.03.05.16. The flaw exists in the fromWizardHandle function within the /goform/WizardHandle file of the POST Request Handler component. Manipulation of the WANT/WANS argument triggers the overflow, as documented under CWEs-119, CWE-121, and CWE-787.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity and low privileges required, without user interaction. Remote attackers can leverage this to achieve high impacts on confidentiality, integrity, and availability, potentially enabling arbitrary code execution. The exploit has been publicly disclosed and may be utilized.
Advisories from VulDB (https://vuldb.com/?ctiid.353837, https://vuldb.com/?id.353837, https://vuldb.com/?submit.777616) and a detailed write-up at https://lavender-bicycle-a5a.notion.site/Tenda-AC6-WizardHandle-32053a41781f800eb05feb16885747f7 provide vulnerability specifics, while the vendor site https://www.tenda.com.cn/ is referenced for potential patches or updates. Security practitioners should consult these resources for mitigation guidance.
Details
- CWE(s)