CVE-2026-3976

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3976 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Tenda W3 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly enforces validation of POST parameters like index/GO to prevent stack-based buffer overflows from improper input handling.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries and non-executable stacks to mitigate exploitation of stack-based buffer overflows.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the identified buffer overflow flaw through firmware patching to eliminate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Stack buffer overflow in router web POST handler (/goform/WifiMacFilterSet) directly enables remote authenticated RCE via T1190 (Exploit Public-Facing Application); resulting arbitrary code execution on embedded Linux firmware maps to T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A weakness has been identified in Tenda W3 1.0.0.3(2204). Impacted is the function formWifiMacFilterSet of the file /goform/WifiMacFilterSet of the component POST Parameter Handler. Executing a manipulation of the argument index/GO can lead to stack-based buffer overflow. It is possible…

to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Deeper analysisAI

CVE-2026-3976 is a stack-based buffer overflow vulnerability affecting the Tenda W3 router on firmware version 1.0.0.3(2204). The flaw resides in the formWifiMacFilterSet function within the /goform/WifiMacFilterSet file of the POST Parameter Handler component. It is triggered by manipulating the "index/GO" argument, as associated with CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write).

The vulnerability enables remote exploitation with low attack complexity and no user interaction required. Attackers need low privileges (PR:L), such as those of an authenticated user, to submit a malicious POST request. Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8, potentially leading to arbitrary code execution on the device.

Advisories and references, including VulDB entries (ctiid.350411, id.350411, submit.769179), document the issue but do not specify patches or vendor mitigations in the provided details. GitHub repositories (Svigo-o/Tenda_vul) publicly host proof-of-concept exploits targeting the formWifiMacFilterSet index and GO buffer overflows.

The exploit code is publicly available, elevating the risk of widespread attacks against unpatched Tenda W3 devices. The vulnerability was published on 2026-03-12.

Details

CWE(s): CWE-119 CWE-121 CWE-787

Affected Products

tenda

w3 firmware

1.0.0.3\(2204\)

CVEs Like This One

CVE-2026-3975Same product: Tenda W3

CVE-2026-3973Same product: Tenda W3

CVE-2026-3974Same product: Tenda W3

CVE-2026-4008Same product: Tenda W3

CVE-2026-4007Same product: Tenda W3

CVE-2026-3972Same product: Tenda W3

CVE-2026-5156Same vendor: Tenda

CVE-2026-3732Same vendor: Tenda

CVE-2026-5830Same vendor: Tenda

CVE-2026-6015Same vendor: Tenda

References

https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-formWifiMacFilterSet-go-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://github.com/Svigo-o/Tenda_vul/tree/main/tenda-w3-formWifiMacFilterSet-index-buffer-overflow
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.350411
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.350411
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769179
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.769180
Third Party Advisory, VDB Entry · cna@vuldb.com
https://www.tenda.com.cn/
Product · cna@vuldb.com