CVE-2026-3769
Published: 08 March 2026
Summary
CVE-2026-3769 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda F453 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of the stack-based buffer overflow vulnerability in the Tenda F453 firmware via patching.
Mandates validation of the GO argument in the WrlclientSet function to restrict operations within memory bounds and prevent the buffer overflow.
Deploys memory protection mechanisms such as stack canaries or non-executable stacks to mitigate exploitation of the stack-based buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote stack-based buffer overflow in public-facing web endpoint (/goform/WrlclientSet) with low privileges required enables T1190 for initial access via crafted requests and T1068 for privilege escalation to arbitrary code execution on the device.
NVD Description
A vulnerability was detected in Tenda F453 1.0.0.3. Affected by this issue is the function WrlclientSet of the file /goform/WrlclientSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack can be executed remotely. The exploit is…
more
now public and may be used.
Deeper analysisAI
CVE-2026-3769 is a stack-based buffer overflow vulnerability in the Tenda F453 router running firmware version 1.0.0.3. The issue affects the WrlclientSet function within the /goform/WrlclientSet endpoint, where manipulation of the GO argument triggers the overflow. This flaw, associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-08.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring only network access and no user interaction. By sending a specially crafted request manipulating the GO argument, the attacker triggers the buffer overflow, potentially leading to high-impact consequences including arbitrary code execution, data compromise, or denial of service, as indicated by the high confidentiality, integrity, and availability scores.
Advisories and references, including those from VulDB (ctiid.349747, id.349747, submit.768297) and a GitHub repository detailing the exploit, document the issue but do not specify patches or vendor mitigations in the available details; the Tenda website is referenced for further information. The exploit is publicly available, increasing the risk of real-world attacks against unpatched devices.
Details
- CWE(s)