Tenda W3 Router
CVE-2026-36771
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formwrlSSIDset function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
AnalysisAI
Denial-of-service in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allows remote unauthenticated attackers to crash the device by sending crafted input to the wl_radio parameter of the formwrlSSIDset function, triggering a stack-based buffer overflow. Publicly available exploit research exists in a GitHub repository, but no public exploit identified for weaponized use at time of analysis and the issue is not listed in CISA KEV. The CVSS 7.5 score reflects high availability impact without confidentiality or integrity loss.
Technical ContextAI
The flaw resides in the formwrlSSIDset HTTP form handler exposed by the router's embedded web management interface, which processes wireless SSID configuration parameters including wl_radio. The root cause is CWE-121 (Stack-based Buffer Overflow): the handler copies attacker-controlled wl_radio input into a fixed-size stack buffer without proper bounds checking, corrupting the saved return address or adjacent stack frame data and crashing the HTTP daemon. Tenda SOHO routers commonly run a BusyBox/Linux firmware with custom CGI binaries (httpd/goahead-style) where similar overflow patterns have been disclosed across the Tenda product line. The supplied CPE string is a placeholder ('n/a'), so the authoritative affected product identifier comes from the description text rather than NVD CPE data.
RemediationAI
No vendor-released patch identified at time of analysis. Until Tenda publishes updated firmware for the W3, restrict access to the router's web management interface by ensuring remote/WAN management is disabled (this is typically the default but should be verified), and segment the management VLAN so only trusted administrative hosts can reach the HTTP admin port - the trade-off is reduced convenience for remote administration. Consider replacing the device with a supported model if it is end-of-life, and monitor https://github.com/xhh0124/SemVulLLM/tree/main/W3/formwrlSSIDset and the Tenda support site for a fixed firmware release. As a stronger compensating control, place the router behind a properly secured upstream firewall and disable Wi-Fi SSID self-service portals or any feature that allows untrusted clients to reach formwrlSSIDset.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today