Skip to main content

Tenda O3 Router CVE-2026-36778

MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-09 mitre
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 18:56 vuln.today
CVSS changed
Jun 10, 2026 - 18:22 NVD
4.9 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain a stack overflow in the username parameter of the R7WebsSecurityHandler function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

AnalysisAI

Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.

Technical ContextAI

CWE-121 (Stack-based Buffer Overflow) describes a class of memory corruption bugs where a fixed-size stack buffer is written beyond its bounds, corrupting adjacent stack frames or return addresses. In this case, the R7WebsSecurityHandler function - part of the router's embedded HTTP server handling authentication requests - fails to enforce a length check on the inbound username parameter before copying it to a stack-allocated buffer. Tenda O3 is a consumer-grade wireless router running a Linux-based embedded firmware. The CPE entry in the NVD record is unpopulated (cpe:2.3:a:n/a:n/a), meaning automated asset matching against this CPE will not function; the affected product is solely identified via the CVE description as firmware version v1.0.0.5(4180). The overflow impacts availability only (A:H, C:N, I:N per CVSS), consistent with a crash/reboot DoS rather than code execution, though stack overflows of this class can theoretically be chained to RCE under certain conditions not evidenced in available data.

RemediationAI

No vendor-released patch identified at time of analysis. No official Tenda security advisory is available in the provided references. As a primary compensating control, administrators should restrict access to the router's web management interface to trusted LAN addresses only and disable remote (WAN-side) management if enabled - this prevents network-based exploitation without requiring firmware changes, though it does not eliminate risk from LAN-side authenticated users. Additionally, ensure the admin password is changed from the factory default to a strong, unique credential, as PR:H exploitation depends on possessing valid admin credentials. Monitoring for unexpected reboots may help detect exploitation attempts. Users should check the official Tenda support portal for firmware updates addressing this issue, as patch availability could not be confirmed from available data.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy