CVE-2026-3729
Published: 08 March 2026
Summary
CVE-2026-3729 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identifying, reporting, and correcting system flaws like this stack-based buffer overflow, directly addressing the vulnerability through patching or firmware updates.
SI-10 mandates validating inputs such as the username and opttype arguments to prevent buffer overflows from improper data handling in the fromPptpUserAdd function.
SI-16 implements memory protections like stack canaries or DEP to mitigate exploitation of stack-based buffer overflows even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in router web form handler (/goform/PPTPDClient) allows remote low-privilege attacker to achieve RCE/DoS/data modification on public-facing network device management interface (T1190); low-priv requirement with high impact indicates privilege escalation (T1068).
NVD Description
A vulnerability was identified in Tenda F453 1.0.0.3/3.As. Impacted is the function fromPptpUserAdd of the file /goform/PPTPDClient. Such manipulation of the argument username/opttype leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and…
more
might be used.
Deeper analysisAI
CVE-2026-3729 is a stack-based buffer overflow vulnerability affecting the Tenda F453 router running firmware version 1.0.0.3(3.As). The issue resides in the fromPptpUserAdd function within the /goform/PPTPDClient file, where improper handling of the username and opttype arguments triggers the overflow. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). The vulnerability was published on 2026-03-08.
A remote attacker with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the username or opttype arguments, the attacker triggers the buffer overflow, potentially achieving high-impact consequences including unauthorized disclosure of sensitive data, modification of system data, and denial of service. A public exploit is available, increasing the likelihood of real-world abuse.
Advisories and additional details are available via references including a GitHub repository at https://github.com/Litengzheng/vul_db/blob/main/F453/vul_98/README.md containing exploit information, VulDB entries at https://vuldb.com/?ctiid.349707, https://vuldb.com/?id.349707, and https://vuldb.com/?submit.766934, and the vendor site at https://www.tenda.com.cn/. Security practitioners should consult these for any patch availability or workarounds from Tenda.
Details
- CWE(s)