CVE-2026-3399
Published: 01 March 2026
Summary
CVE-2026-3399 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and patching of the buffer overflow flaw in the httpd component's fromGstDhcpSetSer function directly eliminates the vulnerability in Tenda F453 firmware.
Validating the length and format of the 'dips' argument in HTTP requests to /goform/GstDhcpSetSer prevents the buffer overflow triggered by oversized or malformed input.
Memory protections such as address space layout randomization and stack canaries mitigate successful exploitation of the buffer overflow even if the underlying flaw persists.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the httpd web management interface (public-facing) directly enables remote exploitation for RCE with low privileges, mapping to T1190.
NVD Description
A vulnerability was identified in Tenda F453 1.0.0.3. Affected by this vulnerability is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. The manipulation of the argument dips leads to buffer overflow. The attack may be initiated remotely.…
more
The exploit is publicly available and might be used.
Deeper analysisAI
CVE-2026-3399 is a buffer overflow vulnerability in Tenda F453 firmware version 1.0.0.3. The flaw affects the fromGstDhcpSetSer function in the /goform/GstDhcpSetSer file of the httpd component, where manipulation of the dips argument triggers the overflow. Published on 2026-03-01, it is associated with CWE-119 and CWE-120.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely with low attack complexity and low privileges required. An attacker meeting these conditions can achieve high impacts on confidentiality, integrity, and availability, such as potential remote code execution via the buffer overflow.
Advisories and details are available via VulDB entries (https://vuldb.com/?ctiid.348294, https://vuldb.com/?id.348294, https://vuldb.com/?submit.759631) and the vendor site (https://www.tenda.com.cn/). A public exploit is documented on GitHub (https://github.com/Litengzheng/vul_db/blob/main/F453/vul_83/README.md) and might be used.
The exploit is publicly available, increasing the risk of active exploitation against unpatched Tenda F453 devices.
Details
- CWE(s)