Home / Vulnerability Intelligence / CVE-2026-4254

CVE-2026-4254 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 17, 2026

Tenda AC8 - Buffer Overflow

Published: March 16, 2026Updated: March 17, 2026Remote Exploitable

Overview

Tenda AC8 <= 16.03.50.11 contains a buffer overflow caused by improper handling of the argument local_2c in /goform/SysToolChangePwd HTTP Endpoint, letting remote attackers execute code, exploit requires crafted request.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary code, potentially leading to full system compromise.

Mitigation

Update to the latest version beyond 16.03.50.11.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 17, 2026

🚨 CRITICAL: CVE-2026-4254 in Tenda AC8 (fw ≤16.03.50.11) enables remote stack buffer overflow via /goform/SysToolChangePwd. Public exploit out — isolate & monitor! No patch yet. https://radar.offseq.com/threat/cve-2026-4254-stack-based-buffer-overflow-in-tenda-501e8b3e #OffSeq #CVE20264254 #RouterSecurity #Vuln

View original post

Related Resources

Details

CVE ID: CVE-2026-4254
Severity: Critical
CVSS Score: 9.8
Type: buffer_overflow
Status: unconfirmed
EPSS: 4.7%
Social Posts: 1

CWE

CWE-119

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days