CVE-2026-3972

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in Tenda W3 1.0.0.3(2204). Affected by this issue is the function formSetCfm of the file /goform/setcfm of the component HTTP Handler. The manipulation of the argument funcpara1 results in stack-based buffer overflow. The attack can only…

be performed from the local network. The exploit has been made public and could be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching or firmware updates to remediate the specific stack-based buffer overflow in the formSetCfm function.

SI-10 Information Input Validation good match

prevent

Enforces validation of the funcpara1 argument to prevent improper restriction of operations within memory bounds, directly countering CWE-119/121/787.

SI-16 Memory Protection good match

prevent

Provides memory safeguards like stack canaries to block unauthorized code execution from the stack buffer overflow exploitation.

Security SummaryAI

CVE-2026-3972 is a stack-based buffer overflow vulnerability affecting the Tenda W3 router on firmware version 1.0.0.3(2204). The flaw resides in the formSetCfm function within the /goform/setcfm file of the HTTP Handler component, where manipulation of the funcpara1 argument triggers the overflow. Published on 2026-03-12, it is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write), earning a CVSS v3.1 base score of 8.8.

Exploitation requires adjacency to the local network (AV:A) and is low complexity (AC:L) with no authentication (PR:N) or user interaction (UI:N) needed in an unchanged scope (S:U). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), such as remote code execution on the device.

Advisories from VulDB (ctiid.350407, id.350407, submit.769172) document the issue, while a proof-of-concept exploit is publicly available in a GitHub repository at https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-setcfm-funcpara1-buffer-overflow. The vendor's site at https://www.tenda.com.cn/ is referenced, but no specific patches or mitigations are detailed in the provided sources.

The exploit has been made public, increasing the risk for unpatched Tenda W3 devices on local networks.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

w3 firmware

1.0.0.3\(2204\)

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a stack-based buffer overflow in the HTTP handler (/goform/setcfm) of a router's web management interface, enabling unauthenticated remote code execution from the local network (AV:A), directly facilitating exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-setcfm-funcpara1-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.350407
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.350407
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769172
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com