Tenda G0
CVE-2026-36799
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable HTTP endpoint, no auth or interaction, single crafted request triggers the overflow; impact is availability only (service crash), no confidentiality or integrity loss.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a buffer overflow in the portalAuth parameter of the formPortalAuth function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
AnalysisAI
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that overflows the portalAuth parameter handled by the formPortalAuth function. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.01%), but a public proof-of-concept research repository on GitHub references the vulnerable function.
Technical ContextAI
The Tenda G0 is a small-business VPN router whose embedded HTTP management/portal interface exposes the formPortalAuth handler. The flaw is a classic CWE-120 classic buffer copy without checking size of input: the portalAuth parameter taken from an HTTP request is copied into a fixed-size stack or heap buffer without bounds validation, leading to memory corruption. Because the affected component is a C-based embedded web server on MIPS/ARM firmware (typical Tenda architecture), corrupting the stack reliably crashes the httpd process and, by extension, the router's management plane. The supplied CPE string (cpe:2.3:a:n/a:n/a) is a placeholder and does not encode the actual product; the description is the authoritative source for affected firmware.
RemediationAI
No vendor-released patch identified at time of analysis and no Tenda advisory is linked in the available references, so monitor https://www.tendacn.com/ for a firmware release that supersedes 15.11.0.5 and apply it once published. As compensating controls, restrict access to the router's HTTP management/portal interface to a trusted management VLAN or specific admin IPs via the device ACL, and ensure WAN-side administration is disabled (default on most Tenda models) - trade-off is loss of remote administration convenience. If the captive-portal authentication feature is not in use, disable it to remove the formPortalAuth attack surface entirely; the side effect is loss of portal-based guest auth. Place the device behind an upstream firewall that drops unsolicited inbound HTTP to the router's management ports, and monitor for repeated httpd crashes/reboots as an indicator of exploitation attempts. Reference research material: https://github.com/xhh0124/SemVulLLM/tree/main/G0/formPortalAuth.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today