Cyber Resilience

CVE-2026-3973

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0063 45.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3973 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda W3 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3973 is a stack-based buffer overflow vulnerability affecting the Tenda W3 router on firmware version 1.0.0.3(2204). The flaw exists in the formSetAutoPing function of the POST Parameter Handler component at the /goform/setAutoPing endpoint, triggered by manipulation of the ping1 or ping2 arguments. It is associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity and low privileges required, without user interaction. A remote attacker possessing low privileges, such as admin interface access, can trigger the buffer overflow to achieve high impacts on confidentiality, integrity, and availability, potentially leading to remote code execution.

VulDB advisories (ctiid.350408 and related entries) document the issue, while GitHub repositories provide publicly disclosed proof-of-concept exploits specifically targeting the ping1 and ping2 buffer overflows. No patches or vendor-specific mitigations are detailed in the references.

EU & UK References

Vulnerability details

A vulnerability was determined in Tenda W3 1.0.0.3(2204). This affects the function formSetAutoPing of the file /goform/setAutoPing of the component POST Parameter Handler. This manipulation of the argument ping1/ping2 causes stack-based buffer overflow. The attack is possible to be carried…

more

out remotely. The exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in the authenticated web endpoint (/goform/setAutoPing) of a network device directly enables remote exploitation of a public-facing application, resulting in RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3975Same product: Tenda W3
CVE-2026-3976Same product: Tenda W3
CVE-2026-4007Same product: Tenda W3
CVE-2026-4008Same product: Tenda W3
CVE-2026-3974Same product: Tenda W3
CVE-2026-3972Same product: Tenda W3
CVE-2026-4961Same vendor: Tenda
CVE-2025-9748Same vendor: Tenda
CVE-2026-4960Same vendor: Tenda
CVE-2026-4906Same vendor: Tenda

Affected Assets

tenda
w3 firmware
1.0.0.3\(2204\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of POST parameters like ping1 and ping2 to prevent stack-based buffer overflows from improper input handling.

preventdetect

Implements memory safeguards such as stack canaries, ASLR, and non-executable stacks to protect against exploitation of the stack-based buffer overflow.

prevent

Directs identification, reporting, and correction of the buffer overflow flaw in the formSetAutoPing function to eliminate the vulnerability.

References