Tenda G0
CVE-2026-36796
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated HTTP request against the management interface (AV:N/AC:L/PR:N/UI:N) crashes httpd causing availability loss only (A:H), with no confidentiality or integrity impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a stack overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
AnalysisAI
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picCropName parameter to the formCropAndSetWewifiPic handler. The flaw is a classic stack buffer overflow in the web management interface, and while no public weaponized exploit is identified, proof-of-concept research artifacts are published on GitHub. EPSS scores exploitation probability at just 0.01%, reflecting limited attacker interest despite trivial reachability.
Technical ContextAI
Tenda G0 is a small-business VPN/gateway router from Shenzhen Tenda Technology that exposes a Linux-based embedded web management interface (typically a goahead/httpd-derived daemon). The formCropAndSetWewifiPic handler processes uploaded wireless captive-portal or login-page images and parses the picCropName HTTP parameter into a fixed-size stack buffer without bounds checking, matching CWE-120 (Classic Buffer Overflow / Buffer Copy without Checking Size of Input). On MIPS/ARM SoC firmware typical of these devices, overrunning the stack frame corrupts saved return addresses and immediately crashes the httpd worker, taking the management plane (and frequently routing) offline until reboot.
RemediationAI
No vendor-released patch identified at time of analysis - check https://www.tendacn.com/ for an updated G0 firmware build superseding v15.11.0.5 and apply it as soon as one is published. Until a fixed firmware exists, the most effective compensating control is to disable remote (WAN-side) web administration and ensure UPnP is not exposing the HTTP management port externally, accepting the trade-off that remote support workflows will require VPN access. On the LAN side, restrict access to the management interface to a dedicated admin VLAN or specific source IPs via firewall ACLs, and monitor the device for unexpected reboots or httpd crashes that may indicate exploitation attempts. Reference the researcher's proof-of-concept at https://github.com/xhh0124/SemVulLLM/tree/main/G0/formCropAndSetWewifiPic to derive detection signatures (oversized picCropName values) for IDS/IPS rules.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today