CVE-2026-3678
Published: 07 March 2026
Summary
CVE-2026-3678 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like PPPOEPassword and wanmode arguments to prevent stack-based buffer overflows from improper restriction of operations within memory bounds.
SI-2 mandates timely flaw remediation, such as applying firmware patches to fix the specific buffer overflow in sub_3C434 of /goform/AdvSetWan.
SI-16 enforces memory protections like stack canaries, ASLR, and non-executable stacks to mitigate arbitrary code execution from the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in router web form handler (/goform/AdvSetWan) enables remote authenticated RCE on a network device, directly supporting T1190 (Exploit Public-Facing Application) for initial compromise and T1068 (Exploitation for Privilege Escalation) from low-priv web session to full code execution.
NVD Description
A vulnerability was determined in Tenda FH451 1.0.0.9. Affected is the function sub_3C434 of the file /goform/AdvSetWan. This manipulation of the argument wanmode/PPPOEPassword causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly…
more
disclosed and may be utilized.
Deeper analysisAI
CVE-2026-3678 is a stack-based buffer overflow vulnerability affecting the Tenda FH451 router on firmware version 1.0.0.9. The flaw exists in the sub_3C434 function of the /goform/AdvSetWan file, triggered by manipulation of the wanmode and PPPOEPassword arguments. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability enables remote exploitation by an attacker possessing low privileges, such as an authenticated user on the device. Exploitation requires low attack complexity and no user interaction, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution via the buffer overflow.
Advisories detail the issue on VulDB (ctiid.349580, id.349580, submit.765330), with a public exploit disclosure available on GitHub at https://github.com/Litengzheng/vul_db/blob/main/FH451/vul_62/README.md. The Tenda vendor site is at https://www.tenda.com.cn/, but specific mitigation or patch guidance is not outlined in the referenced sources.
The exploit has been publicly disclosed and may be utilized, increasing the risk for unpatched Tenda FH451 devices exposed to the network.
Details
- CWE(s)