CVE-2026-3801

HighPublic PoC

Published: 09 March 2026

Published

09 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3801 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda I3 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

preventrecover

Timely flaw remediation through firmware patching directly eliminates the stack-based buffer overflow in the formSetAutoPing function.

SI-10 Information Input Validation good match

prevent

Information input validation enforces bounds checking on ping1 and ping2 arguments to prevent the buffer overflow exploitation.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms like stack canaries mitigate successful exploitation of the stack-based buffer overflow even if input validation fails.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in router web endpoint (/goform/setAutoPing) enables remote code execution from low-privileged authenticated sessions, directly supporting T1190 (public-facing application exploitation) and T1068 (privilege escalation to achieve high CIA impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was found in Tenda i3 1.0.0.6(2204). Affected by this vulnerability is the function formSetAutoPing of the file /goform/setAutoPing. Performing a manipulation of the argument ping1/ping2 results in stack-based buffer overflow. The attack is possible to be carried out…

remotely. The exploit has been made public and could be used.

Deeper analysisAI

CVE-2026-3801 is a stack-based buffer overflow vulnerability affecting the Tenda i3 router on firmware version 1.0.0.6(2204). The flaw exists in the formSetAutoPing function processed by the /goform/setAutoPing endpoint, where manipulation of the ping1 or ping2 arguments triggers the overflow.

The vulnerability can be exploited remotely by attackers with low privileges, such as authenticated users, requiring low attack complexity and no user interaction. Exploitation over the network achieves high impacts on confidentiality, integrity, and availability, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It is linked to CWE-119 and CWE-121.

Public exploits targeting the ping1 and ping2 overflow variants are available on GitHub repositories under Svigo-o/Tenda_vul. VulDB documents the issue with CTI ID 349768 and ID 349768, including a submission entry, but no vendor patches or specific mitigations are detailed in the references.

The exploit has been made public and could be used, indicating potential for active targeting of vulnerable Tenda i3 devices.

Details

CWE(s): CWE-119 CWE-121

Affected Products

tenda

i3 firmware

1.0.0.6\(2204\)

CVEs Like This One

CVE-2026-3804Same product: Tenda I3

CVE-2026-3799Same product: Tenda I3

CVE-2026-3970Same product: Tenda I3

CVE-2026-3971Same product: Tenda I3

CVE-2026-3803Same product: Tenda I3

CVE-2026-3802Same product: Tenda I3

CVE-2026-5841Same product: Tenda I3

CVE-2026-3677Same vendor: Tenda

CVE-2026-3727Same vendor: Tenda

CVE-2026-3811Same vendor: Tenda

References

https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-i3-setautoping-ping1-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-i3-setautoping-ping2-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.349768
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.349768
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.768980
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.768982
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com