Skip to main content

Tenda W3 Router CVE-2026-36771

HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-09 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 21:21 vuln.today
CVSS changed
Jun 09, 2026 - 20:22 NVD
7.5 (HIGH)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formwrlSSIDset function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

AnalysisAI

Denial-of-service in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allows remote unauthenticated attackers to crash the device by sending crafted input to the wl_radio parameter of the formwrlSSIDset function, triggering a stack-based buffer overflow. Publicly available exploit research exists in a GitHub repository, but no public exploit identified for weaponized use at time of analysis and the issue is not listed in CISA KEV. The CVSS 7.5 score reflects high availability impact without confidentiality or integrity loss.

Technical ContextAI

The flaw resides in the formwrlSSIDset HTTP form handler exposed by the router's embedded web management interface, which processes wireless SSID configuration parameters including wl_radio. The root cause is CWE-121 (Stack-based Buffer Overflow): the handler copies attacker-controlled wl_radio input into a fixed-size stack buffer without proper bounds checking, corrupting the saved return address or adjacent stack frame data and crashing the HTTP daemon. Tenda SOHO routers commonly run a BusyBox/Linux firmware with custom CGI binaries (httpd/goahead-style) where similar overflow patterns have been disclosed across the Tenda product line. The supplied CPE string is a placeholder ('n/a'), so the authoritative affected product identifier comes from the description text rather than NVD CPE data.

RemediationAI

No vendor-released patch identified at time of analysis. Until Tenda publishes updated firmware for the W3, restrict access to the router's web management interface by ensuring remote/WAN management is disabled (this is typically the default but should be verified), and segment the management VLAN so only trusted administrative hosts can reach the HTTP admin port - the trade-off is reduced convenience for remote administration. Consider replacing the device with a supported model if it is end-of-life, and monitor https://github.com/xhh0124/SemVulLLM/tree/main/W3/formwrlSSIDset and the Tenda support site for a fixed firmware release. As a stronger compensating control, place the router behind a properly secured upstream firewall and disable Wi-Fi SSID self-service portals or any feature that allows untrusted clients to reach formwrlSSIDset.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy