CVE-2026-3274
Published: 27 February 2026
Summary
CVE-2026-3274 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the buffer overflow in the frmL7ProtForm function by applying vendor patches or firmware updates to eliminate the vulnerability.
Information input validation on the 'page' argument prevents buffer overflow by enforcing bounds checking and rejecting malformed inputs to the /goform/L7Prot endpoint.
Memory protection mechanisms such as address space layout randomization and non-executable stacks mitigate arbitrary code execution from the buffer overflow even if triggered.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in network-accessible httpd web form (/goform/L7Prot) directly enables remote exploitation of a public-facing application (T1190) by an authenticated low-privileged user; successful RCE yields full device compromise and therefore constitutes exploitation for privilege escalation (T1068).
NVD Description
A security flaw has been discovered in Tenda F453 1.0.0.3. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Performing a manipulation of the argument page results in buffer overflow. The attack is…
more
possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Deeper analysisAI
CVE-2026-3274 is a buffer overflow vulnerability affecting the Tenda F453 router running firmware version 1.0.0.3. The flaw resides in the frmL7ProtForm function within the /goform/L7Prot endpoint of the httpd component. By manipulating the 'page' argument, an attacker can trigger the buffer overflow remotely, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-27.
The vulnerability can be exploited remotely by an attacker who has low privileges (PR:L), such as an authenticated user on the device. No user interaction is required, and the low attack complexity enables straightforward exploitation over the network. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, potentially allowing arbitrary code execution, data theft, or full device compromise. A public exploit has been released, increasing the risk of real-world attacks.
Advisories and references, including VulDB entries (ctiid.347998, id.347998, submit.759621) and a GitHub repository at https://github.com/Litengzheng/vul_db/blob/main/F453/vul_74/README.md, document the issue and provide exploit details. The manufacturer's site at https://www.tenda.com.cn/ is listed, though specific patch or mitigation guidance is not detailed in the available information.
Notable context includes the public availability of an exploit, which heightens the urgency for affected users to monitor for updates or apply network controls.
Details
- CWE(s)