{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4565", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-22T08:29:00.489Z", "datePublished": "2026-03-23T00:34:59.843Z", "dateUpdated": "2026-03-23T16:39:11.312Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T00:34:59.843Z"}, "title": "Tenda AC21 SetNetControlList formSetQosBand buffer overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "Tenda", "product": "AC21", "versions": [{"version": "16.03.08.16", "status": "affected"}], "cpes": ["cpe:2.3:o:tenda:ac21_firmware:*:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetNetControlList. Performing a manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "baseSeverity": "HIGH"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 9, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-22T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-22T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-22T09:34:05.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "junqi (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.352402", "name": "VDB-352402 | Tenda AC21 SetNetControlList formSetQosBand buffer overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352402", "name": "VDB-352402 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775119", "name": "Submit #775119 | Tenda AC21 Tenda AC21 V1.0 V16.03.08.16 Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/hellonestor/killallbug/issues/14", "tags": ["issue-tracking"]}, {"url": "https://github.com/hellonestor/killallbug/releases/tag/poc", "tags": ["exploit", "patch"]}, {"url": "https://www.tenda.com.cn/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:14:41.314419Z", "id": "CVE-2026-4565", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:39:11.312Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4565", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T16:14:41.314419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:15:27.517Z"}}], "cna": {"title": "Tenda AC21 SetNetControlList formSetQosBand buffer overflow", "credits": [{"lang": "en", "type": "reporter", "value": "junqi (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 9, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:o:tenda:ac21_firmware:*:*:*:*:*:*:*:*"], "vendor": "Tenda", "product": "AC21", "versions": [{"status": "affected", "version": "16.03.08.16"}]}], "timeline": [{"lang": "en", "time": "2026-03-22T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-22T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-22T09:34:05.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.352402", "name": "VDB-352402 | Tenda AC21 SetNetControlList formSetQosBand buffer overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.352402", "name": "VDB-352402 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.775119", "name": "Submit #775119 | Tenda AC21 Tenda AC21 V1.0 V16.03.08.16 Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/hellonestor/killallbug/issues/14", "tags": ["issue-tracking"]}, {"url": "https://github.com/hellonestor/killallbug/releases/tag/poc", "tags": ["exploit", "patch"]}, {"url": "https://www.tenda.com.cn/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetNetControlList. Performing a manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-23T00:34:59.843Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4565", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:39:11.312Z", "dateReserved": "2026-03-22T08:29:00.489Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-23T00:34:59.843Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ac21_firmware:16.03.08.16:*:*:*:*:*:*:*", "matchCriteriaId": "089AC516-5475-4725-B348-832A00ED0CC3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ac21:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "BCFA3A9C-39E8-46C1-B5C8-928EA45EBCDB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in Tenda AC21 16.03.08.16. Impacted is the function formSetQosBand of the file /goform/SetNetControlList. Performing a manipulation of the argument list results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en Tenda AC21 16.03.08.16. Afectada es la funci\u00f3n formSetQosBand del archivo /goform/SetNetControlList. Realizar una manipulaci\u00f3n del argumento list resulta en desbordamiento de b\u00fafer. El ataque puede ser iniciado remotamente. El exploit es ahora p\u00fablico y puede ser usado."}], "id": "CVE-2026-4565", "lastModified": "2026-04-03T11:31:50.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-23T01:16:43.803", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/hellonestor/killallbug/issues/14"}, {"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://github.com/hellonestor/killallbug/releases/tag/poc"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.352402"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.352402"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.775119"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://www.tenda.com.cn/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16.03.08.16"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AC21", "source": "cna", "vendor": "Tenda"}, "product": "ac21", "vendor": "tenda"}], "analysis": {"en": {"generated_at": "2026-04-03T13:22:44.106613+00:00", "value": {"mitigation_remediation": ["Install the latest firmware version released by Tenda that resolves the buffer overflow in formSetQosBand.", "If no updated firmware is available, disable the QoS functionality or restrict access to the /goform/SetNetControlList endpoint to limit exposure.", "Monitor the router for unusual QoS configuration activity or attempts to write beyond buffer limits, and log all remote management attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all Tenda AC21 routers running firmware version 16.03.08.16, as identified in the product\u2019s CPE entries. No older versions are explicitly listed, but the same implementation of formSetQosBand likely exists in firmware builds released around that time. Administrators should verify their device\u2019s current firmware version against the vendor\u2019s catalog to determine exposure.", "description_and_impact": "The documented flaw is a buffer overflow in the formSetQosBand handler within the /goform/SetNetControlList interface of the Tenda AC21. By supplying an overly long or carefully structured argument list, an attacker can corrupt the stack on the device, potentially allowing arbitrary memory write and execution of malicious code. Because the handler can be invoked remotely, the attacker does not need prior authentication; the vulnerability is exploitable over the public network and is known to be actively used.", "risk_and_exploitability": "The advisory assigns a CVSS score of 8.7, indicating high severity, while the EPSS score is below 1\u202f%, suggesting a low average likelihood of detection but not ruling out opportunistic exploitation. The vulnerability is not yet included in CISA\u2019s KEV catalog, meaning active exploitation in the wild is not formally documented, yet proof\u2011of\u2011concept exploits are publicly available, underscoring the need for timely mitigation."}}}}, "created": "2026-03-23T09:45:44.269594+00:00", "updated": "2026-04-03T21:18:11.685164+00:00", "vendors": ["tenda", "tenda$PRODUCT$ac21"]}