CVE-2026-3973

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3973 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda W3 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of POST parameters like ping1 and ping2 to prevent stack-based buffer overflows from improper input handling.

SI-16 Memory Protection good match

preventdetect

Implements memory safeguards such as stack canaries, ASLR, and non-executable stacks to protect against exploitation of the stack-based buffer overflow.

SI-2 Flaw Remediation good match

prevent

Directs identification, reporting, and correction of the buffer overflow flaw in the formSetAutoPing function to eliminate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Stack-based buffer overflow in the authenticated web endpoint (/goform/setAutoPing) of a network device directly enables remote exploitation of a public-facing application, resulting in RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability was determined in Tenda W3 1.0.0.3(2204). This affects the function formSetAutoPing of the file /goform/setAutoPing of the component POST Parameter Handler. This manipulation of the argument ping1/ping2 causes stack-based buffer overflow. The attack is possible to be carried…

out remotely. The exploit has been publicly disclosed and may be utilized.

Deeper analysisAI

CVE-2026-3973 is a stack-based buffer overflow vulnerability affecting the Tenda W3 router on firmware version 1.0.0.3(2204). The flaw exists in the formSetAutoPing function of the POST Parameter Handler component at the /goform/setAutoPing endpoint, triggered by manipulation of the ping1 or ping2 arguments. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity and low privileges required, without user interaction. A remote attacker possessing low privileges, such as admin interface access, can trigger the buffer overflow to achieve high impacts on confidentiality, integrity, and availability, potentially leading to remote code execution.

VulDB advisories (ctiid.350408 and related entries) document the issue, while GitHub repositories provide publicly disclosed proof-of-concept exploits specifically targeting the ping1 and ping2 buffer overflows. No patches or vendor-specific mitigations are detailed in the references.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

w3 firmware

1.0.0.3\(2204\)

CVEs Like This One

CVE-2026-3975Same product: Tenda W3

CVE-2026-3974Same product: Tenda W3

CVE-2026-4008Same product: Tenda W3

CVE-2026-4007Same product: Tenda W3

CVE-2026-3976Same product: Tenda W3

CVE-2026-3972Same product: Tenda W3

CVE-2026-5204Same vendor: Tenda

CVE-2026-4254Same vendor: Tenda

CVE-2025-7586Same vendor: Tenda

CVE-2025-1814Same vendor: Tenda

References

https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-setautoping-ping1-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-setautoping-ping2-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.350408
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.350408
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769173
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769176
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com