Cyber Resilience

CVE-2026-3678

HighPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3678 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda Fh451 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3678 is a stack-based buffer overflow vulnerability affecting the Tenda FH451 router on firmware version 1.0.0.9. The flaw exists in the sub_3C434 function of the /goform/AdvSetWan file, triggered by manipulation of the wanmode and PPPOEPassword arguments. It is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables remote exploitation by an attacker possessing low privileges, such as an authenticated user on the device. Exploitation requires low attack complexity and no user interaction, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution via the buffer overflow.

Advisories detail the issue on VulDB (ctiid.349580, id.349580, submit.765330), with a public exploit disclosure available on GitHub at https://github.com/Litengzheng/vul_db/blob/main/FH451/vul_62/README.md. The Tenda vendor site is at https://www.tenda.com.cn/, but specific mitigation or patch guidance is not outlined in the referenced sources.

The exploit has been publicly disclosed and may be utilized, increasing the risk for unpatched Tenda FH451 devices exposed to the network.

EU & UK References

Vulnerability details

A vulnerability was determined in Tenda FH451 1.0.0.9. Affected is the function sub_3C434 of the file /goform/AdvSetWan. This manipulation of the argument wanmode/PPPOEPassword causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly…

more

disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Stack-based buffer overflow in router web form handler (/goform/AdvSetWan) enables remote authenticated RCE on a network device, directly supporting T1190 (Exploit Public-Facing Application) for initial compromise and T1068 (Exploitation for Privilege Escalation) from low-priv web session to full code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3677Same product: Tenda Fh451
CVE-2026-4534Same product: Tenda Fh451
CVE-2026-4535Same product: Tenda Fh451
CVE-2025-7792Same product: Tenda Fh451
CVE-2025-7854Same product: Tenda Fh451
CVE-2025-7796Same product: Tenda Fh451
CVE-2025-7807Same product: Tenda Fh451
CVE-2025-7506Same product: Tenda Fh451
CVE-2025-7795Same product: Tenda Fh451
CVE-2025-7434Same product: Tenda Fh451

Affected Assets

tenda
fh451 firmware
1.0.0.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of inputs like PPPOEPassword and wanmode arguments to prevent stack-based buffer overflows from improper restriction of operations within memory bounds.

prevent

SI-2 mandates timely flaw remediation, such as applying firmware patches to fix the specific buffer overflow in sub_3C434 of /goform/AdvSetWan.

prevent

SI-16 enforces memory protections like stack canaries, ASLR, and non-executable stacks to mitigate arbitrary code execution from the stack-based buffer overflow.

References