Description
A flaw has been found in Tenda F453 1.0.0.3. This affects the function fromqossetting of the file /goform/qossetting. Executing a manipulation of the argument qos can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-03-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote buffer overflow
Action: Update firmware
AI Analysis

Impact

The vendor firmware for the Tenda F453 router contains a buffer overflow in the fromqossetting function located in the /goform/qossetting web endpoint. When an attacker supplies a specially crafted qos parameter in an HTTP request, the overflow can corrupt memory and potentially allow the attacker to execute arbitrary code or crash the device.

Affected Systems

This vulnerability is limited to the Tenda F453 router running firmware version 1.0.0.3. No other firmware revisions are documented as affected.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. EPSS indicates a very low exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, requiring the attacker to access the router’s administrative web interface over HTTP and send the malicious qos payload.

Generated by OpenCVE AI on April 17, 2026 at 13:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that fixes the QoS buffer overflow.
  • Restrict or block remote access to the /goform/qossetting endpoint by configuring firewall rules or disabling remote management.
  • Monitor HTTP traffic to the router for unexpected POST requests to /goform/qossetting and alert on anomalous activity.

Generated by OpenCVE AI on April 17, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:tenda:f453:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:f453_firmware:1.0.0.3:*:*:*:*:*:*:*

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda f453
Vendors & Products Tenda f453

Sun, 01 Mar 2026 02:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Tenda F453 1.0.0.3. This affects the function fromqossetting of the file /goform/qossetting. Executing a manipulation of the argument qos can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.
Title Tenda F453 qossetting fromqossetting buffer overflow
First Time appeared Tenda
Tenda f453 Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:tenda:f453_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda f453 Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda F453 F453 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-06T15:00:08.903Z

Reserved: 2026-02-28T06:55:36.748Z

Link: CVE-2026-3378

cve-icon Vulnrichment

Updated: 2026-03-06T14:59:55.812Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-01T03:16:15.103

Modified: 2026-03-03T17:34:16.947

Link: CVE-2026-3378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses