CVE-2026-3677
Published: 07 March 2026
Summary
CVE-2026-3677 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses the stack-based buffer overflow in Tenda FH451 firmware by applying vendor patches to eliminate the vulnerability.
Information input validation enforces checks on funcname and funcpara1 arguments in /goform/setcfm to prevent buffer overflows from malformed remote inputs.
Memory protection mechanisms like stack canaries and non-executable stacks mitigate arbitrary code execution from the stack-based buffer overflow even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in router web form handler (/goform/setcfm) enables remote authenticated RCE leading to full device compromise, directly mapping to exploitation of the public-facing management interface and resulting privilege escalation.
NVD Description
A vulnerability was found in Tenda FH451 1.0.0.9. This impacts the function fromSetCfm of the file /goform/setcfm. The manipulation of the argument funcname/funcpara1 results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made…
more
public and could be used.
Deeper analysisAI
CVE-2026-3677 is a stack-based buffer overflow vulnerability affecting Tenda FH451 router firmware version 1.0.0.9. The flaw resides in the fromSetCfm function within the /goform/setcfm file, where manipulation of the funcname and funcpara1 arguments triggers the overflow. Published on 2026-03-07, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow).
The vulnerability enables remote exploitation by attackers possessing low privileges, requiring network access, low attack complexity, and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution and full router compromise. A public exploit exists and could be used by threat actors.
Advisories referenced in VulDB entries (ctiid.349579, id.349579, submit.765329) document the issue, while a GitHub repository provides exploit details. The Tenda vendor website is listed among references, though specific mitigation or patch guidance is not detailed in the available information.
Details
- CWE(s)