CVE-2026-3799 is a stack-based buffer overflow vulnerability identified in the Tenda i3 router firmware version 1.0.0.6(2204). The flaw exists in the formSetCfm function located in the /goform/setcfm endpoint. Specifically, the vulnerability is triggered by improper validation and handling of the funcpara1 parameter, which can be manipulated by a remote attacker to overflow the stack buffer. This overflow can corrupt the stack frame, potentially allowing the attacker to execute arbitrary code remotely without requiring authentication or user interaction. The vulnerability is remotely exploitable over the network, making it particularly dangerous for exposed devices. The CVSS 4.0 vector indicates no privileges required (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). Although no active exploitation has been reported, a public exploit is available, increasing the likelihood of attacks. The vulnerability affects a specific firmware version of Tenda i3, a device commonly used in home and small office networks. The lack of an official patch link suggests that mitigation may currently rely on workarounds or vendor updates pending release.

The impact of CVE-2026-3799 is significant due to its remote exploitability and high CVSS score. Successful exploitation can lead to full compromise of affected Tenda i3 devices, allowing attackers to execute arbitrary code with the privileges of the vulnerable service. This can result in unauthorized access to network traffic, interception or manipulation of data, disruption of network availability, and potential pivoting to internal networks. Organizations relying on Tenda i3 routers for critical network connectivity, especially in small office or home office environments, face risks of data breaches, service outages, and lateral movement by attackers. The absence of authentication and user interaction requirements lowers the barrier for exploitation, increasing the threat surface. The availability of a public exploit further elevates the risk of widespread attacks once threat actors incorporate it into their toolkits.

1. Immediately verify if your environment uses Tenda i3 devices running firmware version 1.0.0.6(2204) and isolate them from untrusted networks if possible. 2. Monitor Tenda’s official channels for firmware updates addressing this vulnerability and apply patches promptly once available. 3. Implement network-level protections such as firewall rules to restrict access to the /goform/setcfm endpoint from untrusted sources, ideally limiting management interfaces to trusted internal networks only. 4. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting exploitation attempts targeting this vulnerability. 5. Conduct regular network traffic analysis to identify anomalous requests to the vulnerable endpoint. 6. Consider device replacement if patching is delayed or unavailable, especially in high-risk environments. 7. Educate network administrators about the risks and signs of exploitation to enable rapid response. 8. Use network segmentation to limit the impact of a compromised device and prevent lateral movement.