CVE-2026-3272
Published: 27 February 2026
Summary
CVE-2026-3272 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the buffer overflow vulnerability in the Tenda F453 httpd's fromDhcpListClient function by requiring timely patching of the affected firmware.
Prevents the buffer overflow by enforcing validation of the manipulable 'page' argument at the httpd input point /goform/DhcpListClient.
Mitigates remote code execution from the buffer overflow via memory protections such as ASLR, DEP, and stack canaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing httpd web interface (fromDhcpListClient, 'page' param) directly enables T1190 for remote exploitation; low-priv authenticated access to full RCE maps to T1068 for privilege escalation; embedded Linux router context enables command execution via T1059.004 Unix Shell.
NVD Description
A vulnerability was determined in Tenda F453 1.0.0.3. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. This manipulation of the argument page causes buffer overflow. Remote exploitation of the attack is possible. The exploit has…
more
been publicly disclosed and may be utilized.
Deeper analysisAI
CVE-2026-3272 is a buffer overflow vulnerability affecting the Tenda F453 router on firmware version 1.0.0.3. The flaw resides in the fromDhcpListClient function within the /goform/DhcpListClient file of the httpd component. Manipulation of the "page" argument triggers the buffer overflow. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 and CWE-120.
The vulnerability enables remote exploitation with low attack complexity, requiring only low privileges such as an authenticated user, and no user interaction. Attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to remote code execution on the affected device. The exploit has been publicly disclosed and may be utilized by threat actors.
Advisories and additional details are available via VulDB entries (https://vuldb.com/?ctiid.347996, https://vuldb.com/?id.347996, https://vuldb.com/?submit.759603) and the vendor's site (https://www.tenda.com.cn/). A GitHub repository provides exploit information: https://github.com/Litengzheng/vul_db/blob/main/F453/vul_71/README.md.
Details
- CWE(s)