CVE-2026-3971 in Tenda
Summary
by MITRE • 03/12/2026
A vulnerability has been found in Tenda i3 1.0.0.6(2204). Affected by this vulnerability is the function formwrlSSIDset of the file /goform/wifiSSIDset. The manipulation of the argument index/GO leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/17/2026
This vulnerability exists in the Tenda i3 router firmware version 1.0.0.6(2204) where the formwrlSSIDset function within the /goform/wifiSSIDset file contains a stack-based buffer overflow flaw. The vulnerability is triggered when manipulating the index/GO argument, which allows an attacker to overwrite adjacent memory locations on the stack. This particular implementation suffers from inadequate input validation and bounds checking mechanisms that fail to properly constrain the size of user-supplied data before processing. The buffer overflow occurs because the application does not verify that the input data length exceeds the allocated stack buffer size, creating a condition where arbitrary data can be written beyond the buffer boundaries. The attack vector is remote, meaning that an unauthenticated attacker can exploit this vulnerability without requiring physical access to the device or any prior login credentials.
The technical impact of this vulnerability is severe as it enables remote code execution capabilities when successfully exploited. Attackers can leverage the stack-based buffer overflow to overwrite return addresses, function pointers, or other critical stack variables, potentially allowing them to redirect program execution flow to malicious code. This type of vulnerability falls under CWE-121 Stack-based Buffer Overflow, which is classified as a critical weakness in software security. The exploitation process typically involves crafting a specially formatted payload that, when sent to the vulnerable endpoint, causes the application to write beyond its allocated buffer space and overwrite critical program execution data. The disclosed exploit demonstrates that this vulnerability is not theoretical but has real-world attack potential, making it particularly dangerous for networked devices that are often left unpatched in consumer environments.
The operational impact extends beyond simple remote code execution to encompass complete system compromise and potential network infiltration. Once exploited, an attacker gains control over the router's operational functions, including wireless configuration parameters, network routing decisions, and potentially access to the internal network. This vulnerability affects the integrity and availability of the device's services, as successful exploitation can lead to denial of service conditions or persistent backdoor access. The attack surface is broad since routers typically serve as central network hubs with access to multiple network segments, making them attractive targets for attackers seeking to establish persistent access points within networks. According to ATT&CK framework, this vulnerability maps to T1059 Command and Scripting Interpreter and T1566 Phishing, as it enables attackers to execute arbitrary commands on the device and potentially use it as a launching point for further network attacks. The remote exploitability means that this vulnerability can be leveraged from anywhere on the internet without requiring physical proximity to the affected device. Organizations and consumers should immediately assess their network exposure and consider implementing network segmentation, firewall rules, and other defensive measures to limit the potential impact of such vulnerabilities. The disclosure of the exploit increases the risk profile significantly, as it removes the need for advanced exploitation techniques and makes this vulnerability accessible to a broader range of threat actors.