Tenda O3 Router
CVE-2026-36778
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain a stack overflow in the username parameter of the R7WebsSecurityHandler function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
AnalysisAI
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Technical ContextAI
CWE-121 (Stack-based Buffer Overflow) describes a class of memory corruption bugs where a fixed-size stack buffer is written beyond its bounds, corrupting adjacent stack frames or return addresses. In this case, the R7WebsSecurityHandler function - part of the router's embedded HTTP server handling authentication requests - fails to enforce a length check on the inbound username parameter before copying it to a stack-allocated buffer. Tenda O3 is a consumer-grade wireless router running a Linux-based embedded firmware. The CPE entry in the NVD record is unpopulated (cpe:2.3:a:n/a:n/a), meaning automated asset matching against this CPE will not function; the affected product is solely identified via the CVE description as firmware version v1.0.0.5(4180). The overflow impacts availability only (A:H, C:N, I:N per CVSS), consistent with a crash/reboot DoS rather than code execution, though stack overflows of this class can theoretically be chained to RCE under certain conditions not evidenced in available data.
RemediationAI
No vendor-released patch identified at time of analysis. No official Tenda security advisory is available in the provided references. As a primary compensating control, administrators should restrict access to the router's web management interface to trusted LAN addresses only and disable remote (WAN-side) management if enabled - this prevents network-based exploitation without requiring firmware changes, though it does not eliminate risk from LAN-side authenticated users. Additionally, ensure the admin password is changed from the factory default to a strong, unique credential, as PR:H exploitation depends on possessing valid admin credentials. Monitoring for unexpected reboots may help detect exploitation attempts. Users should check the official Tenda support portal for firmware updates addressing this issue, as patch availability could not be confirmed from available data.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today