CVE-2026-4961
Published: 27 March 2026
Summary
CVE-2026-4961 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac6 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents stack-based buffer overflow by enforcing validation of the PPPOEPassword argument in the formQuickIndex POST handler to reject overly long or malformed inputs.
Implements memory protections such as stack canaries, ASLR, and DEP to block exploitation of the buffer overflow even if invalid inputs reach the vulnerable function.
Requires timely flaw remediation through vendor patches for the specific buffer overflow in Tenda AC6 firmware version 15.03.05.16.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack-based buffer overflow in the web form handler (/goform/QuickIndex) of an internet-facing router directly enables exploitation of a public-facing application for RCE or DoS.
NVD Description
A vulnerability was identified in Tenda AC6 15.03.05.16. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack is…
more
possible to be carried out remotely. The exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-4961, published on 2026-03-27, is a stack-based buffer overflow vulnerability affecting Tenda AC6 routers running version 15.03.05.16. The flaw exists in the formQuickIndex function of the /goform/QuickIndex file within the POST Request Handler component, where manipulation of the PPPOEPassword argument triggers the overflow. It is classified under CWE-119, CWE-121, and CWE-787, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or denial of service. A public exploit is available and might be used in attacks.
Advisories from VulDB, including details at https://vuldb.com/?ctiid.353838, https://vuldb.com/?id.353838, and https://vuldb.com/?submit.777617, document the issue, while the vendor site at https://www.tenda.com.cn/ provides relevant information. Security practitioners should review these references for patch availability or mitigation guidance.
The public availability of an exploit, as noted in a detailed write-up at https://lavender-bicycle-a5a.notion.site/Tenda-AC6-QuickIndex-32053a41781f80758e27fa4259ec80cf?source=copy_link, elevates the risk for exposed Tenda AC6 devices.
Details
- CWE(s)