Description
A security flaw has been discovered in Tenda i3 1.0.0.6(2204). This vulnerability affects the function formWifiMacFilterSet of the file /goform/WifiMacFilterSet. The manipulation of the argument index results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A stack‑based buffer overflow exists in the formWifiMacFilterSet function of Tenda i3 firmware 1.0.0.6(2204). By manipulating the index argument supplied to /goform/WifiMacFilterSet, an attacker can overflow the device’s stack and potentially execute arbitrary code. The flaw is exploitable remotely, and public exploit code has already been released. Consequently, an adversary could compromise the device’s network functions, leading to data loss, service disruption, or further lateral movement.

Affected Systems

Tenda i3, firmware version 1.0.0.6(2204).

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. EPSS is below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Despite this, the exploit is publicly available and can be launched remotely, allowing attackers to gain control of the device by exploiting the stack overflow and bypassing normal authentication constraints.

Generated by OpenCVE AI on April 16, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install any vendor‑released firmware update that addresses the stack overflow, if available.
  • If no patch is yet released, disable the formWifiMacFilterSet interface or the Wi‑Fi MAC filter function to prevent the vulnerable code from being invoked.
  • Restrict remote management of the device by placing it behind a firewall that blocks external access to the /goform/WifiMacFilterSet endpoint.
  • Monitor device logs and network traffic for anomalous activity that might indicate exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda i3
Tenda i3 Firmware
CPEs cpe:2.3:h:tenda:i3:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:i3_firmware:1.0.0.6\(2204\):*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda i3
Tenda i3 Firmware

Mon, 09 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Tenda i3 1.0.0.6(2204). This vulnerability affects the function formWifiMacFilterSet of the file /goform/WifiMacFilterSet. The manipulation of the argument index results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Title Tenda i3 WifiMacFilterSet formWifiMacFilterSet stack-based overflow
Weaknesses CWE-119
CWE-121
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda I3 I3 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-10T15:48:48.302Z

Reserved: 2026-03-08T12:39:46.177Z

Link: CVE-2026-3804

cve-icon Vulnrichment

Updated: 2026-03-10T15:48:38.835Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T06:16:09.070

Modified: 2026-03-09T15:09:03.447

Link: CVE-2026-3804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:30:16Z

Weaknesses