CVE-2026-3801
Remote Stack-Based Buffer Overflow in Tenda i3 AutoPing Function
Publication date: 2026-03-09
Last updated on: 2026-03-09
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | i3_firmware | 1.0.0.6(2204) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3801 is a stack-based buffer overflow vulnerability found in the Tenda i3 router firmware version 1.0.0.6(2204). It exists in the formSetAutoPing function accessed via the /goform/setAutoPing HTTP endpoint. The vulnerability arises because the parameters ping1 and ping2 are not properly validated for length. A remote attacker can send a specially crafted HTTP POST request with an excessively long ping1 or ping2 parameter, causing a buffer overflow on the stack.
This buffer overflow can lead to denial of service or potentially allow the attacker to execute arbitrary code remotely on the affected device.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including denial of service (DoS) and remote code execution on the affected Tenda i3 router. An attacker exploiting this flaw can crash the device or take control of it remotely without needing authentication.
Such control could allow the attacker to disrupt network availability, intercept or manipulate network traffic, or use the compromised device as a foothold for further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests sent to the endpoint /goform/setAutoPing on the Tenda i3 router firmware version 1.0.0.6(2204). Specifically, detection involves identifying unusually long or crafted values in the parameters ping1 or ping2, which are exploited to trigger the stack-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze network traffic for POST requests targeting /goform/setAutoPing with oversized ping1 or ping2 parameters.'}, {'type': 'paragraph', 'content': 'Example commands using common tools could include:'}, {'type': 'list_item', 'content': "Using tcpdump to capture relevant HTTP POST requests: tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': 'Using grep or similar tools on captured traffic to search for /goform/setAutoPing and unusually long ping1 or ping2 parameters.'}, {'type': 'list_item', 'content': 'Using curl or similar HTTP clients to test the endpoint by sending crafted POST requests with long ping1 or ping2 parameters to verify if the device is vulnerable.'}] [1, 2, 3, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /goform/setAutoPing to trusted networks only, such as by implementing firewall rules to block external HTTP POST requests to this endpoint.
Since no known countermeasures or patches currently exist for this vulnerability, it is recommended to replace the affected Tenda i3 router firmware version 1.0.0.6(2204) with a secure alternative or updated device if available.
Additionally, monitoring network traffic for exploit attempts and disabling remote management features on the device can reduce exposure.