CVE-2026-4491
Stack-Based Buffer Overflow in Tenda A18 Pro Remote Function
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | a18_pro | 02.03.02.28 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in the Tenda A18 Pro router firmware version V02.03.02.28, specifically in the function fromSetIpMacBind within the /goform/SetIpMacBind endpoint. It is a stack-based buffer overflow caused by unsafe handling of a user-supplied "list" parameter. The function uses the unsafe strcpy function to copy this input into a fixed-size 128-byte buffer without validating its length, allowing an attacker to overflow the buffer and corrupt the stack.'}, {'type': 'paragraph', 'content': "Additionally, improper parsing of the input and unsafe use of sprintf in a downstream function set_device_name create further opportunities for memory corruption. This can lead to remote code execution or denial of service by crashing the router's web management interface."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely by sending a specially crafted "list" parameter to the router\'s IP-MAC binding configuration endpoint. This can result in:'}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE) allowing an attacker to execute arbitrary code with root privileges on the device.'}, {'type': 'list_item', 'content': 'Denial of Service (DoS) by crashing the HTTP daemon, which disables the routerβs web management interface and potentially disrupts network connectivity.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests sent to the endpoint /goform/SetIpMacBind on Tenda A18 Pro routers running firmware version V02.03.02.28.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking for unusually large or malformed "list" parameters in these POST requests, as the vulnerability is triggered by an excessively large input string causing a stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a very large "list" parameter (e.g., 10,000 \'A\' characters) to this endpoint, which causes the HTTP daemon to crash.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., Wireshark or tcpdump) to capture HTTP POST requests to /goform/SetIpMacBind and inspect the "list" parameter size.'}, {'type': 'list_item', 'content': 'Run a command like: curl -X POST -d "list=AAAAAAAA..." http://<router-ip>/goform/SetIpMacBind to test if the device crashes or behaves abnormally.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable endpoint and preventing untrusted users from sending POST requests to /goform/SetIpMacBind.'}, {'type': 'paragraph', 'content': "Network administrators should implement firewall rules or access control lists to block external or unauthorized access to the router's web management interface."}, {'type': 'paragraph', 'content': 'Additionally, monitoring for abnormal crashes or service disruptions on the router can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Long-term remediation involves updating the firmware to a version where the unsafe strcpy calls are replaced with strncpy, input length and format validations are enforced, and bounds-checked functions like snprintf are used.'}] [1]