CVE-2026-4905 Overview
CVE-2026-4905 is a stack-based buffer overflow vulnerability affecting Tenda AC5 routers running firmware version 15.03.06.47. The flaw resides in the formWifiWpsOOB function within the /goform/WifiWpsOOB endpoint of the POST request handler. Attackers can manipulate the index argument to trigger memory corruption on the stack. The vulnerability is exploitable remotely over the network and a public exploit description has been released, increasing the risk of opportunistic attacks against exposed devices.
Critical Impact
Remote attackers can corrupt stack memory in Tenda AC5 routers via crafted POST requests to /goform/WifiWpsOOB, potentially leading to arbitrary code execution or denial of service against the device.
Affected Products
- Tenda AC5 router (hardware revision 1.0)
- Tenda AC5 firmware version 15.03.06.47
- Deployments exposing the /goform/WifiWpsOOB web management endpoint
Discovery Timeline
- 2026-03-27 - CVE-2026-4905 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-4905
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow [CWE-121] tracked under the broader memory corruption categories [CWE-119] and [CWE-787]. The formWifiWpsOOB handler processes the index parameter supplied through a POST request to /goform/WifiWpsOOB. The handler copies the attacker-controlled value into a fixed-size stack buffer without proper bounds validation. When the input exceeds the buffer length, adjacent stack data, including saved return addresses, is overwritten. Successful exploitation can redirect execution flow on the embedded MIPS or ARM target running the Tenda firmware.
Root Cause
The root cause is missing length validation in the formWifiWpsOOB function before copying the index argument into a stack-allocated buffer. The firmware relies on user-supplied data from an authenticated web interface without enforcing maximum input length, which violates safe string-handling practices common in embedded HTTP daemons.
Attack Vector
An attacker with network access to the router's management interface sends a crafted POST request to /goform/WifiWpsOOB containing an oversized index parameter. The CVSS v4.0 vector indicates low privileges are required and no user interaction is needed. Where the management interface is exposed to a wider network segment or to the internet, the attack surface increases substantially. Refer to the Notion OOB Exploit Analysis and VulDB entry #353656 for technical specifics of the overflow.
// No verified exploit code is published in NVD references.
// See the Notion analysis and VulDB submission for technical details.
Detection Methods for CVE-2026-4905
Indicators of Compromise
- HTTP POST requests to /goform/WifiWpsOOB containing an unusually long index parameter value
- Repeated crashes, reboots, or watchdog resets of the Tenda AC5 router following inbound web traffic
- Unexpected outbound connections from the router to attacker-controlled infrastructure after a malformed request
- Web management interface accessible from untrusted network segments or the public internet
Detection Strategies
- Inspect network telemetry for POST requests targeting /goform/WifiWpsOOB with parameter lengths exceeding normal client behavior
- Deploy network IDS/IPS signatures that match oversized index values destined for the Tenda HTTP management port
- Correlate router availability loss events with preceding HTTP requests to administrative goform endpoints
Monitoring Recommendations
- Forward router syslog and authentication events to a centralized logging platform for analysis
- Track baseline request sizes to the /goform/ namespace and alert on statistical outliers
- Monitor for new administrative sessions originating from non-management VLANs or external addresses
How to Mitigate CVE-2026-4905
Immediate Actions Required
- Restrict access to the Tenda AC5 web management interface to trusted internal management networks only
- Disable remote (WAN-side) administration on all affected devices until a vendor patch is available
- Change default and weak administrative credentials, since exploitation requires low privileges
- Audit network exposure of /goform/WifiWpsOOB and block the endpoint at upstream firewalls where feasible
Patch Information
At the time of publication, no fixed firmware release has been listed in the NVD references for Tenda AC5 15.03.06.47. Administrators should monitor the Tenda official website for firmware updates addressing this issue and apply them as soon as they are released.
Workarounds
- Place affected routers behind a perimeter firewall and deny inbound HTTP/HTTPS traffic to the management interface
- Segment the router management VLAN from user and guest networks to limit lateral attack paths
- Where feasible, replace end-of-life or unsupported Tenda AC5 devices with hardware receiving active security maintenance
# Example: block external access to the Tenda AC5 management interface
# Replace <ROUTER_IP> with the device address and <MGMT_PORT> with the admin port (typically 80 or 443)
iptables -A FORWARD -d <ROUTER_IP> -p tcp --dport <MGMT_PORT> -i <wan_interface> -j DROP
iptables -A INPUT -d <ROUTER_IP> -p tcp --dport <MGMT_PORT> -i <wan_interface> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

