Cyber Resilience

CVE-2026-3802

HighPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3802 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda I3 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3802 is a stack-based buffer overflow vulnerability affecting the Tenda i3 router on firmware version 1.0.0.6(2204). The issue resides in the formexeCommand function of the /goform/exeCommand file, where manipulation of the cmdinput argument triggers the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), it was published on 2026-03-09.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), denoting high severity due to its network accessibility, low attack complexity, and requirement for only low privileges. Remote attackers with authenticated access, such as legitimate users, can exploit it without user interaction to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full device compromise.

References include a public exploit disclosure on GitHub (https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-i3-formexeCommand-cmdinput-buffer-overflow) and VulDB entries (https://vuldb.com/?ctiid.349769, https://vuldb.com/?id.349769, https://vuldb.com/?submit.768983). The Tenda vendor website (https://www.tenda.com.cn/) is listed, but no specific patch or mitigation details are provided in the available information.

The exploit has been publicly disclosed and may be utilized, increasing the risk for unpatched Tenda i3 devices.

EU & UK References

Vulnerability details

A vulnerability was determined in Tenda i3 1.0.0.6(2204). Affected by this issue is the function formexeCommand of the file /goform/exeCommand. Executing a manipulation of the argument cmdinput can lead to stack-based buffer overflow. The attack may be performed from remote.…

more

The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Stack-based buffer overflow in the authenticated web form (/goform/exeCommand, cmdinput parameter) on a network device directly enables remote code execution; maps to T1190 (public-facing web management interface) and T1059.008 (Network Device CLI command execution abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3803Same product: Tenda I3
CVE-2026-3804Same product: Tenda I3
CVE-2026-3799Same product: Tenda I3
CVE-2026-3801Same product: Tenda I3
CVE-2026-3970Same product: Tenda I3
CVE-2026-3971Same product: Tenda I3
CVE-2026-5841Same product: Tenda I3
CVE-2026-2886Same vendor: Tenda
CVE-2025-8017Same vendor: Tenda
CVE-2025-14665Same vendor: Tenda

Affected Assets

tenda
i3 firmware
1.0.0.6\(2204\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of inputs like the cmdinput argument at the /goform/exeCommand endpoint to prevent stack-based buffer overflows from oversized or malformed data.

prevent

SI-16 enforces memory protections such as stack canaries, non-executable stacks, and ASLR to mitigate exploitation of stack-based buffer overflows even if invalid input reaches the function.

prevent

SI-2 mandates timely identification, testing, and remediation of flaws like this buffer overflow in the Tenda i3 firmware to eliminate the vulnerability via patching.

References