Tenda W3
CVE-2026-36793
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain multiple stack overflows in the formwrlSSIDset function via the mit_ssid and mis_ssid_index parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
AnalysisAI
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack-based buffer overflows in the formwrlSSIDset handler. The flaw is reachable without authentication or user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but EPSS is only 0.01% and no public exploit identified at time of analysis suggests low near-term mass-exploitation likelihood despite the trivial attack surface.
Technical ContextAI
The vulnerable component is the embedded HTTP management daemon of the Tenda W3 SOHO wireless router, specifically the formwrlSSIDset function which processes wireless SSID configuration submissions. Two parameters - mit_ssid and mis_ssid_index - are copied into fixed-size stack buffers without proper length validation, matching CWE-121 (Stack-based Buffer Overflow). Tenda's web management firmware historically uses C-based form handlers (httpd/goahead derivatives) where parameter values from POST bodies are passed to unsafe routines like strcpy or sprintf, corrupting saved frame pointers and return addresses on the call stack. The referenced research at github.com/xhh0124/SemVulLLM points to reverse-engineered analysis of function FUN_00442b44, indicating the issue was identified through static binary analysis of the MIPS/ARM router firmware rather than vendor disclosure.
RemediationAI
No vendor-released patch identified at time of analysis - the only public reference is third-party vulnerability research, not a Tenda security bulletin. Owners of the Tenda W3 v1.0.0.3(2204) should check tendacn.com for firmware updates referencing formwrlSSIDset or SSID handling fixes and apply the newest available image. Until a fix is published, disable remote/WAN-side web management entirely (this is the highest-value mitigation and has no functional cost for typical home users), restrict LAN-side access to the management interface to a specific admin VLAN or trusted MAC, and consider replacing the device if it is end-of-life and unlikely to receive firmware updates - a consideration likely for an older W3 SKU. If the router must remain in service, accept that a malicious LAN client can trivially reboot/crash it and plan for resilience (UPS, monitored uptime) rather than relying on the device's HTTP service.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today