Skip to main content
CVE Vulnerability Database

CVE-2026-4905: Tenda AC5 Buffer Overflow Vulnerability

CVE-2026-4905 is a stack-based buffer overflow vulnerability in Tenda AC5 Firmware that enables remote attackers to exploit the WifiWpsOOB function. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2026-4905 Overview

CVE-2026-4905 is a stack-based buffer overflow vulnerability affecting Tenda AC5 routers running firmware version 15.03.06.47. The flaw resides in the formWifiWpsOOB function within the /goform/WifiWpsOOB endpoint of the POST request handler. Attackers can manipulate the index argument to trigger memory corruption on the stack. The vulnerability is exploitable remotely over the network and a public exploit description has been released, increasing the risk of opportunistic attacks against exposed devices.

Critical Impact

Remote attackers can corrupt stack memory in Tenda AC5 routers via crafted POST requests to /goform/WifiWpsOOB, potentially leading to arbitrary code execution or denial of service against the device.

Affected Products

  • Tenda AC5 router (hardware revision 1.0)
  • Tenda AC5 firmware version 15.03.06.47
  • Deployments exposing the /goform/WifiWpsOOB web management endpoint

Discovery Timeline

  • 2026-03-27 - CVE-2026-4905 published to NVD
  • 2026-03-31 - Last updated in NVD database

Technical Details for CVE-2026-4905

Vulnerability Analysis

The vulnerability is a stack-based buffer overflow [CWE-121] tracked under the broader memory corruption categories [CWE-119] and [CWE-787]. The formWifiWpsOOB handler processes the index parameter supplied through a POST request to /goform/WifiWpsOOB. The handler copies the attacker-controlled value into a fixed-size stack buffer without proper bounds validation. When the input exceeds the buffer length, adjacent stack data, including saved return addresses, is overwritten. Successful exploitation can redirect execution flow on the embedded MIPS or ARM target running the Tenda firmware.

Root Cause

The root cause is missing length validation in the formWifiWpsOOB function before copying the index argument into a stack-allocated buffer. The firmware relies on user-supplied data from an authenticated web interface without enforcing maximum input length, which violates safe string-handling practices common in embedded HTTP daemons.

Attack Vector

An attacker with network access to the router's management interface sends a crafted POST request to /goform/WifiWpsOOB containing an oversized index parameter. The CVSS v4.0 vector indicates low privileges are required and no user interaction is needed. Where the management interface is exposed to a wider network segment or to the internet, the attack surface increases substantially. Refer to the Notion OOB Exploit Analysis and VulDB entry #353656 for technical specifics of the overflow.

// No verified exploit code is published in NVD references.
// See the Notion analysis and VulDB submission for technical details.

Detection Methods for CVE-2026-4905

Indicators of Compromise

  • HTTP POST requests to /goform/WifiWpsOOB containing an unusually long index parameter value
  • Repeated crashes, reboots, or watchdog resets of the Tenda AC5 router following inbound web traffic
  • Unexpected outbound connections from the router to attacker-controlled infrastructure after a malformed request
  • Web management interface accessible from untrusted network segments or the public internet

Detection Strategies

  • Inspect network telemetry for POST requests targeting /goform/WifiWpsOOB with parameter lengths exceeding normal client behavior
  • Deploy network IDS/IPS signatures that match oversized index values destined for the Tenda HTTP management port
  • Correlate router availability loss events with preceding HTTP requests to administrative goform endpoints

Monitoring Recommendations

  • Forward router syslog and authentication events to a centralized logging platform for analysis
  • Track baseline request sizes to the /goform/ namespace and alert on statistical outliers
  • Monitor for new administrative sessions originating from non-management VLANs or external addresses

How to Mitigate CVE-2026-4905

Immediate Actions Required

  • Restrict access to the Tenda AC5 web management interface to trusted internal management networks only
  • Disable remote (WAN-side) administration on all affected devices until a vendor patch is available
  • Change default and weak administrative credentials, since exploitation requires low privileges
  • Audit network exposure of /goform/WifiWpsOOB and block the endpoint at upstream firewalls where feasible

Patch Information

At the time of publication, no fixed firmware release has been listed in the NVD references for Tenda AC5 15.03.06.47. Administrators should monitor the Tenda official website for firmware updates addressing this issue and apply them as soon as they are released.

Workarounds

  • Place affected routers behind a perimeter firewall and deny inbound HTTP/HTTPS traffic to the management interface
  • Segment the router management VLAN from user and guest networks to limit lateral attack paths
  • Where feasible, replace end-of-life or unsupported Tenda AC5 devices with hardware receiving active security maintenance
bash
# Example: block external access to the Tenda AC5 management interface
# Replace <ROUTER_IP> with the device address and <MGMT_PORT> with the admin port (typically 80 or 443)
iptables -A FORWARD -d <ROUTER_IP> -p tcp --dport <MGMT_PORT> -i <wan_interface> -j DROP
iptables -A INPUT   -d <ROUTER_IP> -p tcp --dport <MGMT_PORT> -i <wan_interface> -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.