CVE-2026-3972
Stack-Based Buffer Overflow in Tenda W3 HTTP Handler
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | w3_firmware | 1.0.0.3(2204) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3972 is a stack-based buffer overflow vulnerability found in the Tenda W3 router, version 1.0.0.3(2204). It exists in the HTTP handler component, specifically in the formSetCfm function accessed via the /goform/setcfm endpoint.
The vulnerability arises from improper handling of the POST parameter funcpara1, which is copied into a fixed-length buffer on the stack without proper bounds checking. By sending a specially crafted POST request with an excessively long funcpara1 value, an attacker can cause a buffer overflow.
This overflow can overwrite the stack, including the return address, potentially leading to a crash or arbitrary code execution on the device.
The attack can only be performed from within the local network and does not require authentication.
How can this vulnerability impact me? :
Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected Tenda W3 router.
- An attacker on the local network can cause a denial of service by crashing the device.
- More critically, the attacker may achieve arbitrary code execution, potentially taking full control of the router.
- Since the vulnerability requires no authentication, it is relatively easy to exploit if an attacker has local network access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /goform/setcfm endpoint on the Tenda W3 router, specifically those containing an excessively long funcpara1 parameter.'}, {'type': 'paragraph', 'content': 'A detection method involves capturing network traffic on the local network and filtering for POST requests targeting /goform/setcfm with unusually large payloads in the funcpara1 parameter.'}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to capture HTTP POST requests to /goform/setcfm.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i '/goform/setcfm'"}, {'type': 'list_item', 'content': 'Analyze captured HTTP POST data for the presence of the funcpara1 parameter with an unusually long string value.'}, {'type': 'list_item', 'content': 'Alternatively, use intrusion detection systems (IDS) or web application firewalls (WAF) to create rules that alert on POST requests to /goform/setcfm with large funcpara1 parameters.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected Tenda W3 router's management interface to trusted local network users only, as exploitation requires local network access."}, {'type': 'paragraph', 'content': 'Since no known countermeasures or patches are currently available, it is recommended to replace the affected device with a secure alternative.'}, {'type': 'paragraph', 'content': "Additionally, monitor network traffic for suspicious POST requests to /goform/setcfm and consider implementing network segmentation or firewall rules to limit access to the router's HTTP management interface."}] [2]