CVE-2026-3804 in Tendainfo

Summary

by MITRE • 03/09/2026

A security flaw has been discovered in Tenda i3 1.0.0.6(2204). This vulnerability affects the function formWifiMacFilterSet of the file /goform/WifiMacFilterSet. The manipulation of the argument index results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/09/2026

The vulnerability identified as CVE-2026-3804 represents a critical stack-based buffer overflow flaw within the Tenda i3 router firmware version 1.0.0.6(2204). This security weakness resides in the formWifiMacFilterSet function located within the /goform/WifiMacFilterSet file, which serves as a critical component for managing wireless mac address filtering capabilities. The flaw specifically manifests when the index argument parameter is manipulated, creating conditions that allow attackers to exceed the bounds of allocated stack memory buffers. This type of vulnerability falls under the CWE-121 stack-based buffer overflow category, which is classified as a serious memory corruption vulnerability that can lead to arbitrary code execution. The affected device operates within the consumer and small office networking space, making it a prime target for attackers seeking to compromise home and small business networks. The remote exploitability of this vulnerability means that attackers can leverage this flaw without requiring physical access to the device, potentially enabling them to execute malicious code on the affected router.

The technical implementation of this buffer overflow vulnerability stems from improper input validation within the wireless mac filtering configuration interface. When an attacker sends a specially crafted request to the /goform/WifiMacFilterSet endpoint with an oversized index parameter, the application fails to properly bounds-check the input before copying it into a fixed-size stack buffer. This lack of proper input sanitization creates a condition where the index value can overwrite adjacent stack memory locations, potentially corrupting the return address of the calling function or other critical program state information. The ATT&CK framework categorizes this as a technique involving code injection and privilege escalation, as successful exploitation could allow attackers to gain unauthorized control over the router's operating system. The vulnerability's exploitation requires knowledge of the specific API endpoint and understanding of how the index parameter is processed, making it moderately sophisticated but not requiring advanced reverse engineering skills due to the public availability of exploit code.

The operational impact of CVE-2026-3804 extends beyond simple remote code execution, as compromised routers can serve as entry points for broader network attacks. Once an attacker gains control of the device, they can modify network configurations, redirect traffic through malicious proxies, or establish persistent backdoors for future access. The router's role as a central network gateway means that successful exploitation could provide attackers with visibility into all network traffic passing through the device, potentially exposing sensitive data from connected devices. Network segmentation benefits are compromised when a router is compromised, as attackers can use the device as a pivot point to scan internal network addresses and launch attacks against other systems. Additionally, the vulnerability affects firmware that may be widely deployed, potentially exposing thousands of devices simultaneously to the same risk. The public availability of exploit code significantly increases the likelihood of widespread exploitation, as it reduces the barrier to entry for attackers who may not possess advanced technical skills.

Mitigation strategies for CVE-2026-3804 should prioritize immediate firmware updates from Tenda, as this represents the most effective defense against the vulnerability. Network administrators should implement network segmentation and access controls to limit the potential damage from a compromised device, using firewalls and intrusion detection systems to monitor for suspicious traffic patterns. Regular network scanning should be conducted to identify devices running vulnerable firmware versions, and automated patch management systems should be deployed to ensure timely updates across all networked devices. The implementation of network monitoring solutions that can detect anomalous behavior from compromised routers, such as unexpected outbound connections or DNS tunneling attempts, provides additional layers of defense. Security teams should also consider disabling unnecessary services and ports on the affected devices, particularly the web management interface that exposes the vulnerable API endpoint. Organizations should establish incident response procedures specifically addressing router compromise scenarios, including steps for device isolation, forensic analysis, and network-wide security assessments. The vulnerability highlights the importance of secure coding practices and regular security testing in embedded systems, particularly those handling network configuration data where improper input validation can lead to critical security flaws.

Responsible

VulDB

Disclosure

03/09/2026

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00654

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!