Tenda O3 Router
CVE-2026-36779
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain multiple stack overflows in the fromVirtualSer function via the puVar2, puVar1, __s2, __s1_00, and puVar3 parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
AnalysisAI
Denial of service in Tenda O3 Wireless Router firmware v1.0.0.5(4180) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack buffer overflows in the fromVirtualSer function. Five distinct overflow sinks (puVar2, puVar1, __s2, __s1_00, puVar3) are reachable via the same handler. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.01%, but a research repository with vulnerability artifacts is referenced.
Technical ContextAI
The Tenda O3 is a SOHO/outdoor wireless router whose web-based management interface exposes a CGI-style handler named fromVirtualSer, typically responsible for processing virtual server (port-forwarding) configuration submissions. The flaw is classified as CWE-121 (Stack-based Buffer Overflow), meaning user-supplied HTTP parameters are copied into fixed-size stack buffers without adequate length validation - likely via unbounded strcpy/sprintf-style operations on the listed variables. On embedded MIPS/ARM routers running stripped-down Linux without modern stack protections (canaries, ASLR, NX often partial), such overflows reliably corrupt the saved return address and crash the httpd daemon. The CPE entry is generic ('n/a'), so authoritative product enumeration must come from the description rather than NVD CPE matching.
RemediationAI
No vendor-released patch identified at time of analysis - the only reference is a third-party GitHub research repository (https://github.com/xhh0124/SemVulLLM/tree/main/O3/fromVirtualSer), not a Tenda advisory. Until Tenda publishes updated firmware for the O3, restrict access to the device's web management interface by disabling remote/WAN-side administration (this prevents internet-borne exploitation but does not block LAN/WLAN attackers and may inconvenience admins managing remote sites), placing the management VLAN behind an ACL that only permits trusted administrative hosts, and blocking inbound HTTP/HTTPS to the router's WAN IP at any upstream firewall. Monitor Tenda's support portal for firmware later than v1.0.0.5(4180) and apply it once released; given Tenda's history with SOHO router vulnerabilities, consider replacing end-of-life O3 units with actively maintained hardware if no patch materializes.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today