CVE-2026-3044
Published: 24 February 2026
Summary
CVE-2026-3044 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Ac8 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the stack-based buffer overflow flaw in the webCgiGetUploadFile function via firmware patching.
Mandates validation of untrusted inputs like the boundary argument to prevent improper restriction of operations within memory bounds leading to overflow.
Implements memory protection mechanisms such as stack canaries and non-executable stacks to mitigate exploitation of stack-based buffer overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in exposed Httpd/CGI web interface (AV:N, PR:L) directly enables remote exploitation of a public-facing application for RCE and subsequent privilege escalation to full device control.
NVD Description
A vulnerability has been found in Tenda AC8 16.03.34.06. This affects the function webCgiGetUploadFile of the file /cgi-bin/UploadCfg of the component Httpd Service. The manipulation of the argument boundary leads to stack-based buffer overflow. It is possible to initiate the…
more
attack remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2026-3044 is a stack-based buffer overflow vulnerability in the Tenda AC8 router running firmware version 16.03.34.06. The issue resides in the webCgiGetUploadFile function within the /cgi-bin/UploadCfg file of the Httpd Service component. By manipulating the "boundary" argument, an attacker can trigger the overflow, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A remote attacker with low privileges can exploit this vulnerability without user interaction and with low complexity. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially leading to remote code execution on the affected device.
Advisories and details are documented in references including a GitHub issue at https://github.com/master-abc/cve/issues/43 and VulDB entries at https://vuldb.com/?ctiid.347400, https://vuldb.com/?id.347400, and https://vuldb.com/?submit.757240, with the vendor site at https://www.tenda.com.cn/. No specific patch or mitigation details are provided in the CVE description.
The exploit has been publicly disclosed and may be used, as noted in the vulnerability report published on 2026-02-24.
Details
- CWE(s)