Cyber Resilience

CVE-2026-3975

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0066 46.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3975 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda W3 Firmware. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3975 is a stack-based buffer overflow vulnerability affecting the Tenda W3 router on firmware version 1.0.0.3(2204). The issue lies in the formWifiMacFilterGet function of the /goform/WifiMacFilterGet endpoint within the POST Parameter Handler component. Manipulating the wl_radio argument triggers the overflow, as documented under CWEs-119, CWE-121, and CWE-787.

The vulnerability enables remote exploitation over the network with low attack complexity and low privileges required (PR:L), without user interaction and with unchanged scope. Per its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected device.

Advisories and references, including VulDB entries (ctiid.350410, id.350410, submit.769178), note that a public exploit is available on GitHub at https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-formWifiMacFilterGet-index-buffer-overflow. Security practitioners should review the Tenda website (tenda.com.cn) for any firmware updates or mitigation recommendations.

EU & UK References

Vulnerability details

A security flaw has been discovered in Tenda W3 1.0.0.3(2204). This issue affects the function formWifiMacFilterGet of the file /goform/WifiMacFilterGet of the component POST Parameter Handler. Performing a manipulation of the argument wl_radio results in stack-based buffer overflow. It is…

more

possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow in publicly accessible /goform/WifiMacFilterGet web endpoint on network device directly enables remote code execution via exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3973Same product: Tenda W3
CVE-2026-3976Same product: Tenda W3
CVE-2026-4007Same product: Tenda W3
CVE-2026-4008Same product: Tenda W3
CVE-2026-3974Same product: Tenda W3
CVE-2026-3972Same product: Tenda W3
CVE-2026-4961Same vendor: Tenda
CVE-2025-9748Same vendor: Tenda
CVE-2026-4960Same vendor: Tenda
CVE-2026-4906Same vendor: Tenda

Affected Assets

tenda
w3 firmware
1.0.0.3\(2204\)

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly patches the stack-based buffer overflow in the formWifiMacFilterGet function, preventing remote exploitation via the wl_radio parameter.

prevent

Information input validation enforces bounds checking and sanitization of POST parameters like wl_radio to block buffer overflow triggers in the WifiMacFilterGet handler.

prevent

Memory protection mechanisms such as stack canaries and non-executable memory prevent arbitrary code execution from successful stack-based buffer overflows.

References