CVE-2026-36772: Tenda W3 Stack Overflow DoS Vulnerability – Patch Guidance
Tenda W3 wireless routers running firmware version 1.0.0.3(2204) contain a stack overflow vulnerability in how they process the wl_radio parameter during SSID configuration requests. An attacker on the local network can send a specially crafted input to crash the router, causing a denial of service. The vulnerability requires no authentication and no user interaction to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formwrlSSIDget function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36772 is a stack buffer overflow (CWE-121) in the formwrlSSIDget function of Tenda W3 firmware. The wl_radio parameter fails to validate input length before copying to a stack-allocated buffer, enabling classic stack smashing. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects attack surface limited to adjacent networks, but once reachable, exploitation is trivial and impacts only availability. The vulnerability does not appear to enable code execution or credential theft under standard conditions.
Business impact
For organizations deploying Tenda W3 routers—particularly in small offices, branches, or remote sites—this vulnerability creates an availability risk. An attacker with network adjacency can remotely trigger a device restart or hang without authorization, disrupting connectivity. In environments where the router serves critical functions (VPN gateway, guest network isolation, or network segmentation), repeated DoS attacks could degrade operations and require manual recovery.
Affected systems
Tenda W3 Wireless Router firmware version 1.0.0.3(2204) is confirmed vulnerable. Organizations should verify whether this specific firmware build is deployed in their network inventory. Tenda may have released patched versions; consult the vendor's security advisory and firmware repository to identify affected serial batches and available updates.
Exploitability
Exploitation is straightforward but geographically limited. An attacker must be on the same network segment (AV:A) or have routed access to the router's management interface. No authentication, user interaction, or complex exploitation primitives are required—a single malformed request triggers the overflow. The low attack complexity (AC:L) makes this practical for adversaries within network range. Remote exploitation from the internet is unlikely unless the router's web interface is exposed.
Remediation
Apply the latest firmware release from Tenda that patches the formwrlSSIDget stack overflow. Verify the patched firmware version against Tenda's official security advisory. As an interim control, restrict network access to the router's web interface using access control lists (ACLs), firewall rules, or device-level management VLANs to limit exposure to trusted administrators only. Monitor router logs and device status for unexpected restarts or anomalies.
Patch guidance
Visit Tenda's official support website and download the latest firmware for the W3 model. Before deploying to production, test patches in a non-critical environment to confirm functionality and compatibility with your network configuration. Schedule patching during a maintenance window to minimize service disruption during the router reboot cycle. Document the pre- and post-patch firmware versions for compliance and audit purposes.
Detection guidance
Monitor router logs for access attempts to the formwrlSSIDget endpoint or wl_radio parameter manipulation. Watch for unexpected device reboots, loss of connectivity, or firmware debug messages that may indicate exploitation attempts. Network intrusion detection systems (IDS) can flag anomalously long or malformed SSID configuration requests. Implement baseline monitoring of router uptime and CPU/memory status to detect repeated crash patterns that suggest active attack.
Why prioritize this
Although this is a MEDIUM-severity DoS vulnerability, it warrants prompt attention in environments where router availability directly affects business continuity. The local-network-only attack surface reduces overall risk compared to remotely exploitable flaws, but the trivial exploitation barrier and lack of authentication requirements mean any adjacent adversary can disrupt service. Prioritize patching in critical locations; lower-priority remote sites can follow standard patch cycles.
Risk score, explained
CVSS 3.1 score of 6.5 (MEDIUM) reflects the combination of easy exploitation (AV:A, AC:L, PR:N, UI:N) and high impact on availability (A:H), offset by the requirement for network adjacency and lack of confidentiality or integrity compromise. This scoring is appropriate for a local DoS without code execution potential. Organizations with extensive Tenda deployments should consider this score a floor; business risk may be higher in availability-critical contexts.
Frequently asked questions
Can this vulnerability be exploited over the internet?
No, the attack vector is limited to adjacent networks (AV:A). Remote internet-based exploitation is not possible unless the router's web interface is directly exposed to the internet, which is an additional misconfiguration. Standard network segmentation and access controls effectively mitigate this risk.
Does this vulnerability allow an attacker to gain admin access or steal data?
No. The stack overflow affects only availability (denial of service). There is no evidence that it enables code execution, privilege escalation, or data exfiltration. An attacker can crash or restart the router but cannot modify settings or access stored credentials.
How long does it take to patch a Tenda W3 router?
Firmware updates typically take 5–10 minutes to download and install, followed by a brief reboot (2–3 minutes). Plan patching during a maintenance window to avoid unexpected downtime. Always back up router configuration before updating firmware.
Is this vulnerability being actively exploited in the wild?
As of the last intelligence update, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed widespread exploitation. However, the ease of exploitation and availability of technical details mean vigilance is warranted, especially in organizations with exposed router management interfaces.
This analysis is based on information available as of the publication date and reflects the vulnerability details provided in the CVE record. Patch version numbers and specific firmware updates must be verified directly against Tenda's official security advisory and firmware repository—do not rely solely on this summary for deployment decisions. CVSS scores represent a standardized measure of technical severity but do not account for organizational context, asset criticality, or threat landscape; adjust your internal risk ratings accordingly. Organizations should conduct their own vulnerability assessments and consult vendor advisories before implementing fixes. This information is provided for defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-59613MEDIUMQualcomm Memory Corruption Vulnerability – Firmware Security Impact
- CVE-2025-62858MEDIUMQNAP Buffer Overflow (QTS / QuTS hero) – Patch Now
- CVE-2026-0413MEDIUMNETGEAR Orbi Buffer Overflow Firmware Vulnerability
- CVE-2026-10064MEDIUMTRENDnet TEW-432BRP Stack Overflow – Unpatched EOL Router Vulnerability
- CVE-2026-11793MEDIUM389 Directory Server Stack Buffer Overflow in Password Parsing
- CVE-2026-1871MEDIUMTP-Link Tapo C200 v5 RTSP Buffer Overflow DoS Vulnerability
- CVE-2026-35716MEDIUMVIVOTEK FD8136 Stack Buffer Overflow Remote Code Execution
- CVE-2026-35717MEDIUMVIVOTEK FD8136 Stack Buffer Overflow – Authenticated RCE Vulnerability