CVE-2026-36771: Tenda W3 Router Stack Overflow Denial of Service
The Tenda W3 wireless router (version 1.0.0.3 build 2204) contains a stack overflow vulnerability in how it processes the wl_radio parameter when setting wireless SSID configuration. An attacker on the network can send specially crafted input to crash the router, disrupting service for all connected devices. No authentication is required to trigger this flaw.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formwrlSSIDset function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36771 is a stack buffer overflow (CWE-121) in the formwrlSSIDset function of the Tenda W3 router. The vulnerability exists in the wl_radio parameter handler, which fails to properly validate input length before writing to the stack. The flaw is remotely exploitable without authentication, leading to denial of service through application crash or potential code execution depending on exploitation sophistication. The CVSS 3.1 score of 7.5 (HIGH) reflects the high availability impact and zero network access barriers.
Business impact
Router downtime directly impacts business continuity for any organization relying on affected Tenda W3 units for internet connectivity. Repeated denial-of-service attacks could severely degrade network availability. In environments where this router handles critical access or serves multiple departments, exploits could cost significant productivity. The attack requires no authentication, meaning any upstream network attacker or compromised device can initiate an outage.
Affected systems
Tenda W3 Wireless Router firmware version 1.0.0.3 build 2204 is confirmed vulnerable. Organizations should audit their network for this specific model and firmware revision. Older or newer firmware builds of the W3 may or may not be affected; verification against Tenda's advisory is required.
Exploitability
This vulnerability is network-accessible and requires no authentication, making it relatively straightforward to exploit from any device with network access to the router's IP. Crafting the malicious wl_radio input is straightforward once the vulnerable parameter is identified. Public exploit code may emerge; the vulnerability does not require user interaction on the device itself. The primary barrier is network connectivity to the router interface.
Remediation
Patch immediately to the latest firmware version provided by Tenda for the W3 router. If patched firmware is not yet available, implement network segmentation to restrict direct access to the router's management interface from untrusted networks. Consider deploying rate-limiting or access controls on the router configuration endpoint. Verify patch availability through Tenda's official support channels.
Patch guidance
Check Tenda's official website or your device's firmware update mechanism for the latest W3 router firmware release. Apply any available firmware update that addresses CVE-2026-36771. Document the current firmware version before updating to confirm your router is vulnerable. Test the patch in a non-production environment first if possible. Tenda's advisory should specify the minimum patched firmware version; verify your upgrade reaches or exceeds that version.
Detection guidance
Monitor for HTTP/HTTPS requests to the router's web interface containing the wl_radio parameter with abnormally long or binary payloads. Observe for unexpected router reboots or unresponsive web interface access. Check router logs for configuration set errors correlating with DoS incidents. Network-based detection can look for POST requests to the SSID configuration endpoint with oversized or malformed parameters. Internal vulnerability scanners should flag the W3 on version 1.0.0.3(2204) if configured with those specifics.
Why prioritize this
The combination of zero-authentication network exploitability, confirmed denial-of-service impact, and HIGH severity warrants immediate attention. Any organization running this router model should prioritize patching. The lack of KEV inclusion should not reduce urgency—the technical factors alone justify rapid remediation given the direct availability impact.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a HIGH severity vulnerability due to: (1) Network accessibility with no authentication required (AV:N/PR:N), (2) Low attack complexity (AC:L), (3) High impact on availability (A:H), and (4) no confidentiality or integrity compromise in the baseline scenario. The score appropriately captures the practical risk to router availability while excluding speculative code-execution scenarios not confirmed in the vulnerability description.
Frequently asked questions
Does this affect all Tenda W3 routers or just specific versions?
Only Tenda W3 firmware version 1.0.0.3 build 2204 is confirmed vulnerable. Other firmware versions of the W3 or different Tenda models may or may not be affected. Verify your exact firmware version in the router's web interface or check Tenda's official advisory to determine if your device is impacted.
Can this vulnerability lead to remote code execution, or only denial of service?
The confirmed impact is denial of service through crash. Stack overflows can theoretically lead to code execution if an attacker invests effort in crafting a payload to overwrite the return address; however, the published vulnerability description documents DoS impact only. Any RCE potential would require additional research and likely exploit development.
What should we do if a patch isn't available yet?
Implement compensating controls: restrict network access to the router's management interface using firewall rules, disable remote management if not required, and use VPN or air-gapped administration. Monitor for signs of exploitation. Check Tenda's support portal weekly for patch availability. Document the vulnerability and your mitigation approach for audit purposes.
How would an attacker deliver a crafted wl_radio payload to the router?
The attacker needs network access to the router's web interface (usually port 80 or 443) and would send a specially formatted HTTP POST request targeting the SSID configuration function with an oversized or malformed wl_radio parameter. This can be done from any device with a network path to the router.
This analysis is based on published vulnerability data current as of the provided source material. Specific patch version numbers, availability, and comprehensive affected product lists should be verified directly against Tenda's official security advisory. SEC.co makes no warranty regarding the accuracy of vendor patch timelines or the completeness of affected hardware inventory. Organizations are responsible for validating their own device configurations and patch eligibility. This explainer does not constitute legal, compliance, or purchasing advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2025-52292HIGHGPAC MP4Box Stack Buffer Overflow Denial of Service
- CVE-2025-66280HIGHQNAP Integer Overflow Vulnerability: Patch & Risk Assessment
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi