CVE-2026-3168
Published: 25 February 2026
Summary
CVE-2026-3168 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the buffer overflow vulnerability in the httpd /goform/NatStaticSetting endpoint by applying vendor firmware patches or updates.
Enforces validation of the 'page' argument to prevent buffer overflow exploitation in the fromNatStaticSetting function.
Deploys memory protections like ASLR and DEP to mitigate arbitrary code execution from buffer overflows in the httpd component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow RCE in public-facing httpd web endpoint (/goform/NatStaticSetting) with low-priv remote trigger enables T1190 (Exploit Public-Facing Application) for initial access and T1068 (Exploitation for Privilege Escalation) to achieve arbitrary code execution.
NVD Description
A weakness has been identified in Tenda F453 1.0.0.3. This affects the function fromNatStaticSetting of the file /goform/NatStaticSetting of the component httpd. Executing a manipulation of the argument page can lead to buffer overflow. The attack may be launched remotely.…
more
The exploit has been made available to the public and could be used for attacks.
Deeper analysisAI
CVE-2026-3168 is a buffer overflow vulnerability affecting Tenda F453 firmware version 1.0.0.3. The issue resides in the fromNatStaticSetting function within the /goform/NatStaticSetting endpoint of the httpd component. It is triggered by manipulating the 'page' argument, leading to a buffer overflow condition classified under CWE-119 and CWE-120. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-25.
The vulnerability enables remote exploitation by an attacker with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation can result in high impacts on confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.
References include a GitHub repository containing a publicly available exploit at https://github.com/Litengzheng/vul_db/blob/main/F453/vul_67/README.md, multiple VulDB entries detailing the issue (https://vuldb.com/?ctiid.347675, https://vuldb.com/?id.347675, https://vuldb.com/?submit.759595), and the vendor's website at https://www.tenda.com.cn/. Security practitioners should consult these for any patch availability or mitigation guidance, as the public exploit increases the risk of active attacks.
Details
- CWE(s)