CVE-2026-3808: Tenda FH1202 Buffer Overflow Vulnerability

CVE-2026-3808 Overview

CVE-2026-3808 is a stack-based buffer overflow vulnerability affecting Tenda FH1202 routers running firmware version 1.2.0.14(408). The flaw resides in the formWebTypeLibrary function exposed through the /goform/webtypelibrary endpoint. Attackers can trigger memory corruption by manipulating the webSiteId argument in HTTP requests sent to the router's web management interface. The vulnerability is exploitable remotely across the network and a public exploit is available, increasing the likelihood of opportunistic attacks against exposed devices. The weakness is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Remote attackers can corrupt stack memory on Tenda FH1202 routers by sending a crafted webSiteId parameter, potentially leading to denial of service or arbitrary code execution on the device.

Affected Products

• Tenda FH1202 router (hardware)
• Tenda FH1202 firmware version 1.2.0.14(408)
• Web management interface endpoint /goform/webtypelibrary

Discovery Timeline

• 2026-03-09 - CVE-2026-3808 published to NVD
• 2026-03-09 - Last updated in NVD database

Technical Details for CVE-2026-3808

Vulnerability Analysis

The vulnerability exists in the formWebTypeLibrary handler within the Tenda FH1202 web server binary. This handler processes requests submitted to /goform/webtypelibrary and reads the webSiteId parameter from the HTTP request body or query string. The handler copies attacker-controlled input into a fixed-size stack buffer without performing adequate bounds checking. When the supplied webSiteId exceeds the destination buffer length, adjacent stack memory including the saved return address is overwritten. Exploitation requires only network reachability to the router's management interface and a low-privilege authenticated session. Successful exploitation impacts confidentiality, integrity, and availability of the device.

Root Cause

The root cause is the absence of length validation before copying the webSiteId argument into a stack-allocated buffer inside formWebTypeLibrary. Like many embedded HTTP handlers in Tenda firmware, the function relies on unsafe string-copy primitives without enforcing maximum input sizes. This pattern is consistent with [CWE-119] memory boundary violations frequently observed in Tenda's httpd web server component.

Attack Vector

An attacker reaches the vulnerability by sending an HTTP request to /goform/webtypelibrary on the router's management interface with an oversized webSiteId parameter value. The request travels across the network and does not require user interaction. On devices where the management interface is exposed to untrusted networks or the internet, attackers can launch the attack directly. On internal networks, attackers can pivot from any host with HTTP access to the router. A working proof-of-concept is published in the GitHub PoC Repository, which lowers the barrier for exploitation.

No verified exploit code is reproduced here. Refer to the VulDB entry #349774 for additional technical context.

Detection Methods for CVE-2026-3808

Indicators of Compromise

• HTTP POST or GET requests to /goform/webtypelibrary containing abnormally long webSiteId parameter values
• Router crashes, unexpected reboots, or httpd process restarts following inbound requests to the web management interface
• Outbound connections from the router to unknown hosts after suspicious web-management traffic
• Configuration changes on the FH1202 that do not correspond to authorized administrator activity

Detection Strategies

• Inspect HTTP traffic destined for the router for webSiteId parameter lengths that exceed typical web UI values (commonly under 64 bytes)
• Deploy network intrusion detection signatures targeting requests to /goform/webtypelibrary with oversized parameters
• Correlate router availability monitoring alerts with preceding inbound HTTP requests to the management interface

Monitoring Recommendations

• Forward router system logs and management-interface access logs to a centralized logging platform for analysis
• Monitor for unauthorized access attempts to the FH1202 administrative interface from internal hosts and external sources
• Track firmware version inventory to identify devices still running 1.2.0.14(408)

How to Mitigate CVE-2026-3808

Immediate Actions Required

• Restrict access to the router's web management interface to a dedicated administrative VLAN or specific management hosts
• Disable remote (WAN-side) administration on all Tenda FH1202 devices until a vendor patch is verified and applied
• Inventory all Tenda FH1202 devices running firmware 1.2.0.14(408) and prioritize their network isolation
• Rotate administrative credentials and review router configurations for unauthorized changes

Patch Information

No vendor advisory or patched firmware has been published at the time of disclosure. Consult the Tenda Official Website for firmware updates. Until a fix is released, treat affected devices as exposed and apply compensating network controls.

Workarounds

• Place the router's management interface behind a firewall rule that permits access only from trusted management IP addresses
• Replace affected FH1202 devices with supported hardware in environments where remote administration cannot be disabled
• Segment the FH1202 onto an isolated network and disable any port-forwarding rules that expose goform endpoints externally

# Example firewall rule restricting access to the router management interface
# Replace 192.0.2.10 with the authorized management host and 10.0.0.1 with the router IP
iptables -A FORWARD -p tcp -s 192.0.2.10 -d 10.0.0.1 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -j DROP
iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 443 -j DROP