Which versions of Tenda are affected by CVE-2026-4565?

A high-severity vulnerability in Tenda AC21 routers allows authenticated attackers to remotely compromise system integrity, steal data, or cause service disruption.. A patch is available.

Is there a public PoC exploit available for CVE-2026-4565?

Yes, a public proof-of-concept exploit is available for CVE-2026-4565. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-4565?

Within 24 hours: Identify and inventory all Tenda AC21 routers running firmware 16.03.08.16 in your environment; verify network segmentation restricts router management access to authorized personnel only. Within 7 days: Disable remote management features on affected routers if operationally feasible; restrict administrative access to the /goform/SetNetControlList endpoint to trusted internal networks only using firewall rules. Within 30 days: Contact Tenda for patch ETA and evaluate replacement with routers from vendors with active security support; test and deploy any available firmware updates immediately upon release.

Tenda CVE-2026-4565

Q: What is the CVSS score of CVE-2026-4565?

CVE-2026-4565 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-14343 HIGH

Classic Buffer Overflow (CWE-120)

2026-03-23 VulDB

Buffer Overflow Tenda

7.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 03, 2026 - 11:31 vuln.today

Public exploit code

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 23, 2026 - 01:00 euvd

EUVD-2026-14343

Analysis Generated

Mar 23, 2026 - 01:00 vuln.today

CVE Published

Mar 23, 2026 - 00:34 nvd

HIGH 7.4

DescriptionNVD

A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetNetControlList. Performing a manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.

AnalysisAI

Buffer overflow in Tenda AC21 firmware version 16.03.08.16 allows authenticated remote attackers to achieve complete system compromise through crafted QoS configuration requests to the SetNetControlList endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Tenda AC21 web interface

Delivery

Send crafted request to /goform/SetNetControlList

Exploit

Manipulate argument list in formSetQosBand function

Execution

Trigger buffer overflow

Impact

Execute arbitrary code on device