Skip to main content

Tenda W3 CVE-2026-36793

HIGH
Stack-based Buffer Overflow (CWE-121)
2026-06-09 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 18:26 vuln.today
CVSS changed
Jun 10, 2026 - 18:22 NVD
7.5 (HIGH)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain multiple stack overflows in the formwrlSSIDset function via the mit_ssid and mis_ssid_index parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

AnalysisAI

Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack-based buffer overflows in the formwrlSSIDset handler. The flaw is reachable without authentication or user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but EPSS is only 0.01% and no public exploit identified at time of analysis suggests low near-term mass-exploitation likelihood despite the trivial attack surface.

Technical ContextAI

The vulnerable component is the embedded HTTP management daemon of the Tenda W3 SOHO wireless router, specifically the formwrlSSIDset function which processes wireless SSID configuration submissions. Two parameters - mit_ssid and mis_ssid_index - are copied into fixed-size stack buffers without proper length validation, matching CWE-121 (Stack-based Buffer Overflow). Tenda's web management firmware historically uses C-based form handlers (httpd/goahead derivatives) where parameter values from POST bodies are passed to unsafe routines like strcpy or sprintf, corrupting saved frame pointers and return addresses on the call stack. The referenced research at github.com/xhh0124/SemVulLLM points to reverse-engineered analysis of function FUN_00442b44, indicating the issue was identified through static binary analysis of the MIPS/ARM router firmware rather than vendor disclosure.

RemediationAI

No vendor-released patch identified at time of analysis - the only public reference is third-party vulnerability research, not a Tenda security bulletin. Owners of the Tenda W3 v1.0.0.3(2204) should check tendacn.com for firmware updates referencing formwrlSSIDset or SSID handling fixes and apply the newest available image. Until a fix is published, disable remote/WAN-side web management entirely (this is the highest-value mitigation and has no functional cost for typical home users), restrict LAN-side access to the management interface to a specific admin VLAN or trusted MAC, and consider replacing the device if it is end-of-life and unlikely to receive firmware updates - a consideration likely for an older W3 SKU. If the router must remain in service, accept that a malicious LAN client can trivially reboot/crash it and plan for resilience (UPS, monitored uptime) rather than relying on the device's HTTP service.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-36793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy