CVE-2026-4492
Remote Stack-Based Buffer Overflow in Tenda A18 Pro QoS Function
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | a18_pro | 02.03.02.28 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in the Tenda A18 Pro router firmware version 02.03.02.28, specifically in the function set_qosMib_list within the /goform/formSetQosBand endpoint. The function processes a user-controlled list parameter by copying segments of it into a fixed-size stack buffer without checking the length, using the unsafe strcpy function.'}, {'type': 'paragraph', 'content': "Because there is no bounds checking, if any segment of the input exceeds 255 characters, it causes a stack-based buffer overflow. This overflow can overwrite the stack frame, including the function's return address."}, {'type': 'paragraph', 'content': "An attacker can exploit this remotely by sending a specially crafted request to the vulnerable endpoint, potentially causing the router's HTTP service to crash (Denial of Service) or enabling Remote Code Execution (RCE) by hijacking the program counter to run arbitrary code."}, {'type': 'paragraph', 'content': 'The vulnerability is worsened by the fact that the parsed data is passed to another function with its own overflow issues, increasing the risk.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including:'}, {'type': 'list_item', 'content': "Denial of Service (DoS) by crashing the router's HTTP daemon, making the device unresponsive."}, {'type': 'list_item', 'content': 'Remote Code Execution (RCE), allowing an attacker to execute arbitrary code on the router remotely.'}, {'type': 'list_item', 'content': 'Potential compromise of the router, which could lead to interception or manipulation of network traffic, unauthorized access, or further attacks on connected devices.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending specially crafted HTTP requests to the vulnerable endpoint `/goform/formSetQosBand` on Tenda A18 Pro routers running firmware version V02.03.02.28. Specifically, sending a very long string (e.g., thousands of characters) as the `list` parameter can trigger the stack-based buffer overflow, causing the router's HTTP daemon to crash or become unresponsive."}, {'type': 'paragraph', 'content': 'A proof-of-concept involves sending a long string of characters followed by a delimiter to the endpoint. Monitoring for crashes or service unavailability after such requests indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'Example commands to test this might include using curl or similar tools to send a long payload:'}, {'type': 'list_item', 'content': 'curl -X POST http://<router-ip>/goform/formSetQosBand -d "list=$(python3 -c \'print("A"*10000 + ";")\')"'}, {'type': 'list_item', 'content': "Observe if the router's HTTP service crashes or becomes unresponsive after the request."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include avoiding exposure of the vulnerable endpoint to untrusted networks and restricting access to the router's management interface."}, {'type': 'paragraph', 'content': 'If possible, update the router firmware to a version where the vulnerability is fixed. The fix involves replacing unsafe functions like `strcpy` with safer alternatives such as `strncpy` and validating input lengths before processing.'}, {'type': 'paragraph', 'content': 'Additional recommendations include:'}, {'type': 'list_item', 'content': 'Block or filter HTTP POST requests to `/goform/formSetQosBand` from untrusted sources.'}, {'type': 'list_item', 'content': 'Monitor router logs and network traffic for unusual or excessively long requests targeting QoS configuration.'}, {'type': 'list_item', 'content': 'Consider isolating the device from the internet or untrusted networks until a patch is applied.'}] [1]