CVE-2026-3972
Received Received - Intake
Stack-Based Buffer Overflow in Tenda W3 HTTP Handler

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in Tenda W3 1.0.0.3(2204). Affected by this issue is the function formSetCfm of the file /goform/setcfm of the component HTTP Handler. The manipulation of the argument funcpara1 results in stack-based buffer overflow. The attack can only be performed from the local network. The exploit has been made public and could be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3972
EUVD
EUVD-2026-11503
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda w3_firmware 1.0.0.3(2204)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3972 is a stack-based buffer overflow vulnerability found in the Tenda W3 router, version 1.0.0.3(2204). It exists in the HTTP handler component, specifically in the formSetCfm function accessed via the /goform/setcfm endpoint.

The vulnerability arises from improper handling of the POST parameter funcpara1, which is copied into a fixed-length buffer on the stack without proper bounds checking. By sending a specially crafted POST request with an excessively long funcpara1 value, an attacker can cause a buffer overflow.

This overflow can overwrite the stack, including the return address, potentially leading to a crash or arbitrary code execution on the device.

The attack can only be performed from within the local network and does not require authentication.

Impact Analysis

Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected Tenda W3 router.

  • An attacker on the local network can cause a denial of service by crashing the device.
  • More critically, the attacker may achieve arbitrary code execution, potentially taking full control of the router.
  • Since the vulnerability requires no authentication, it is relatively easy to exploit if an attacker has local network access.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the /goform/setcfm endpoint on the Tenda W3 router, specifically those containing an excessively long funcpara1 parameter.'}, {'type': 'paragraph', 'content': 'A detection method involves capturing network traffic on the local network and filtering for POST requests targeting /goform/setcfm with unusually large payloads in the funcpara1 parameter.'}, {'type': 'list_item', 'content': 'Use a network packet capture tool like tcpdump or Wireshark to capture HTTP POST requests to /goform/setcfm.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture relevant traffic: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i '/goform/setcfm'"}, {'type': 'list_item', 'content': 'Analyze captured HTTP POST data for the presence of the funcpara1 parameter with an unusually long string value.'}, {'type': 'list_item', 'content': 'Alternatively, use intrusion detection systems (IDS) or web application firewalls (WAF) to create rules that alert on POST requests to /goform/setcfm with large funcpara1 parameters.'}] [1, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include restricting access to the affected Tenda W3 router's management interface to trusted local network users only, as exploitation requires local network access."}, {'type': 'paragraph', 'content': 'Since no known countermeasures or patches are currently available, it is recommended to replace the affected device with a secure alternative.'}, {'type': 'paragraph', 'content': "Additionally, monitor network traffic for suspicious POST requests to /goform/setcfm and consider implementing network segmentation or firewall rules to limit access to the router's HTTP management interface."}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3972. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart