HIGH 7.5

CVE-2026-36784: Tenda O3 Router Stack Overflow Denial of Service

A stack overflow vulnerability exists in Shenzhen Tenda Technology's O3 Wireless Router (firmware version 1.0.0.5(4180)) that can be exploited through a specially crafted HTTP request targeting the ip parameter in the fromNetToolGet function. An attacker on the network can trigger this flaw to crash the router, causing a denial of service. No authentication is required, and the attack can be launched remotely.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain a stack overflow in the ip parameter of the fromNetToolGet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36784 is a stack-based buffer overflow (CWE-121) in the fromNetToolGet function of the Tenda O3 router. The vulnerability stems from improper input validation on the ip parameter when processing HTTP requests. A malicious payload exceeding buffer boundaries can overwrite the stack, corrupting memory and crashing the device. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-based exploitability with no authentication barriers and high impact to availability.

Business impact

Organizations relying on Tenda O3 routers for network connectivity face potential service disruption if exploited. The denial-of-service condition can interrupt business operations until the router is manually rebooted. While confidentiality and integrity are not compromised, the availability impact is severe in environments where the router is a critical network component. This is particularly concerning for small office/home office (SOHO) deployments or remote locations with limited IT support.

Affected systems

Shenzhen Tenda Technology Tenda O3 Wireless Router firmware version 1.0.0.5(4180) is confirmed vulnerable. Other firmware versions and the O3 router line should be evaluated for similar exposure. Organizations should check their Tenda router models and firmware versions against Tenda's security advisories to determine scope of exposure within their environment.

Exploitability

The vulnerability carries high exploitability potential. No authentication is required, the attack complexity is low, and it can be executed over the network by any attacker with HTTP connectivity to the router's management interface. The flaw does not depend on user interaction. However, actual exploitation requires crafting a properly formatted HTTP request with a payload designed to overflow the ip parameter buffer—not a trivial attack but well within the capability of competent threat actors.

Remediation

Verify whether Tenda has released a patched firmware version for the O3 router addressing CWE-121 stack overflow in the fromNetToolGet function. Organizations should consult Tenda's official security advisory and firmware download portal. If patches are unavailable, consider network segmentation to restrict HTTP access to the router's management interface, deploying firewall rules to block suspicious traffic patterns, and evaluating alternative networking equipment if upgrades cannot be deferred.

Patch guidance

Contact Shenzhen Tenda Technology or visit their official support channels to obtain patched firmware for the O3 router. Verify patch availability specifically for firmware version 1.0.0.5(4180) or newer releases. Before deploying patches in production, test on non-critical equipment to ensure compatibility and stability. Document the baseline firmware version and backup configuration before initiating updates. Ensure proper power management during the update process to avoid incomplete flashing.

Detection guidance

Monitor HTTP traffic to router management interfaces for requests with unusual or oversized ip parameter values. Implement network intrusion detection rules to identify payloads attempting to exploit buffer overflows in web-based router management. Log all HTTP requests to the fromNetToolGet endpoint and baseline normal ip parameter sizes. Router access logs and syslog should be reviewed for crashes or restarts correlated with suspicious HTTP traffic. Employ network segmentation to isolate router management interfaces from untrusted network segments.

Why prioritize this

This vulnerability merits prompt attention due to its high CVSS score (7.5), ease of exploitation (no authentication, low complexity), network-accessible attack vector, and impact on a critical network device. While not yet adopted for active exploitation in the wild (KEV status: false), the straightforward nature of the vulnerability and its position in network infrastructure creates significant risk. Organizations should prioritize assessment and remediation ahead of less accessible or complex vulnerabilities.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the combination of network accessibility, lack of authentication requirements, low attack complexity, and severe impact to availability. The vector shows zero impact to confidentiality and integrity, limiting the score to availability damage. However, the ability for any network-connected attacker to crash a critical network device without preconditions justifies the elevated severity. This is not a critical-severity remote code execution, but represents a material risk to operational continuity.

Frequently asked questions

Can this vulnerability be exploited from the internet, or only from inside the local network?

The CVSS vector indicates network-accessible exploitability (AV:N), meaning the vulnerability can be triggered over the internet if the router's HTTP management interface is exposed. However, most consumers and organizations do not expose router management ports externally. Risk is highest for devices accessible on the internal network or those accidentally exposed via port forwarding.

Does this vulnerability allow attackers to steal data or compromise router configuration?

No. The vulnerability results only in denial of service (router crash). The CVSS vector explicitly shows C:N (no confidentiality impact) and I:N (no integrity impact). Attackers cannot exfiltrate data, modify settings, or gain persistent access through this flaw. However, the crash itself can disrupt network operations.

What should I do if my organization uses Tenda O3 routers but a patch is not yet available?

Implement defense-in-depth measures: restrict HTTP access to the management interface via firewall rules and network segmentation, use strong access controls, monitor for suspicious traffic patterns, and keep alternative network devices ready for rapid deployment if the primary router becomes unavailable. Contact Tenda support directly to escalate patching timelines.

How does this compare in severity to other router vulnerabilities?

At CVSS 7.5 with an availability-only impact, this is a high-severity vulnerability affecting a critical infrastructure component, but falls below the severity of vulnerabilities permitting remote code execution or authentication bypass. It ranks as a significant threat to operational continuity without exposing data or enabling endpoint compromise.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. The vulnerability details, CVSS score, and affected product information are derived from published disclosures. Organizations must verify patch availability and compatibility against vendor advisories before implementing fixes. SEC.co does not provide guarantee of the accuracy or completeness of remediation guidance and recommends consultation with Tenda and internal security teams before making infrastructure decisions. No exploit code or weaponized proof-of-concept is provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).