CVE-2026-4974
Remote Stack-Based Buffer Overflow in Tenda AC7 POST Handler
Publication date: 2026-03-27
Last updated on: 2026-03-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | ac7_firmware | 15.03.06.44 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw found in the Tenda AC7 router firmware version 15.03.06.44. It exists in the function fromSetSysTime within the /goform/SetSysTimeCfg component, which handles POST requests. By manipulating the argument 'Time' sent to this function, an attacker can trigger a stack-based buffer overflow.
This buffer overflow can be exploited remotely, meaning an attacker does not need physical access to the device to launch the attack. The exploit code for this vulnerability has already been published.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to severe consequences because a stack-based buffer overflow can allow an attacker to execute arbitrary code on the affected device.
- Remote code execution on the router
- Potential full compromise of the device
- Disruption of network services
- Unauthorized access to network traffic or connected devices