HIGH 7.5

CVE-2026-36786: Tenda FH451 Stack Overflow Denial of Service Vulnerability

Tenda FH451 routers running firmware version 1.0.0.9 contain a memory corruption flaw that crashes the device when attackers send specially crafted network requests. The vulnerability exploits how the device processes DHCP client list information, allowing remote attackers to knock the router offline without needing authentication. This is a straightforward denial-of-service condition with no data theft or system compromise involved.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the list1 parameter of the fromDhcpListClient function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36786 is a stack overflow in the fromDhcpListClient function of Tenda FH451 V1.0.0.9. The vulnerability exists in improper bounds checking of the list1 parameter when processing DHCP client list data submitted via HTTP requests. An unauthenticated remote attacker can supply an oversized payload to overflow the stack, causing the application or device to crash. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), indicating classic memory safety issues arising from unbounded input handling.

Business impact

Affected organizations using Tenda FH451 routers face intermittent network unavailability when attackers trigger the denial-of-service condition. In environments where these devices serve as critical network gateways or access points, exploitation results in user disconnection, loss of internet connectivity, and operational disruption. The attack requires no credentials and can be executed remotely, making it a low-friction threat. Recovery requires manual device restart, causing extended downtime in unmonitored deployments.

Affected systems

Tenda FH451 routers with firmware version 1.0.0.9 are confirmed vulnerable. The vulnerability is specific to this firmware revision; administrators should verify whether their deployments are running this exact version and confirm availability of patched versions from Tenda. Devices in default configurations are immediately exposed since the vulnerable HTTP endpoint is accessible without authentication.

Exploitability

This vulnerability presents high exploitability from a network perspective. The attack vector is network-based, requires no authentication, no user interaction, and no special configuration. An attacker needs only to send a crafted HTTP request containing an oversized list1 parameter to the vulnerable endpoint. No exploit complexity exists—the payload construction is straightforward for anyone with basic HTTP knowledge. The lack of authentication requirements and ease of triggering make this a concern for any organization with Tenda FH451 devices exposed to untrusted networks.

Remediation

Tenda has released patched firmware for the FH451 series. Organizations should immediately check Tenda's support page for updated firmware versions beyond 1.0.0.9, download the latest available release, and apply it to all affected devices. Firmware upgrades on Tenda routers typically involve accessing the web management interface and uploading the patched image. For networks unable to patch immediately, restrict HTTP access to the router's management interface using firewall rules or network segmentation to limit exposure from untrusted sources.

Patch guidance

Obtain the latest firmware version from Tenda's official website or support channels (verify against the vendor advisory for specific patched versions). Apply the update through the Tenda FH451's web interface under System Settings > Firmware Upgrade. Ensure the device remains powered and uninterrupted during the upgrade process. Test connectivity after upgrade to confirm functionality is restored. Document the patched firmware version in your device inventory for compliance tracking.

Detection guidance

Monitor network traffic for unusually large HTTP POST requests targeting the Tenda FH451's management interface, particularly those with abnormally long parameters in DHCP-related endpoints. Examine router logs for repeated crashes or unexpected reboots correlating with suspicious HTTP requests. Deploy network intrusion detection signatures that flag oversized payloads sent to router management ports. Track firmware versions across your Tenda fleet to identify devices still running V1.0.0.9. Consider implementing rate limiting or request size restrictions at the network perimeter to mitigate exploitation attempts.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS severity (7.5), network accessibility without authentication, and ease of exploitation. The denial-of-service impact, while not involving data theft, directly disrupts availability—a core security pillar. Any organization with Tenda FH451 devices should prioritize patching or network isolation within the next two weeks. The threat is amplified in environments where network uptime is critical (healthcare, financial services, manufacturing) or where devices are internet-facing.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible vulnerability with no authentication barrier, no user interaction needed, and complete availability impact. The scope is unchanged (S:U), and there is no confidentiality or integrity compromise (C:N, I:N), limiting the rating below critical. However, the straightforward attack vector and high exploitability justify the HIGH classification. Real-world risk is proportional to your exposure: devices on untrusted networks or the public internet represent significantly higher risk than those isolated behind robust network controls.

Frequently asked questions

Does this vulnerability allow attackers to steal data or take control of my router?

No. CVE-2026-36786 causes only a denial-of-service condition. The stack overflow crashes the device but does not provide code execution, data exfiltration, or persistent system compromise. An attacker can make the router unavailable but cannot read your network traffic, credentials, or connected devices.

Is my Tenda FH451 definitely vulnerable if I own one?

Only if you are running firmware version 1.0.0.9. Check your device's firmware version in the System Settings or About page. If you are on a newer version, you are likely protected. Contact Tenda support or visit their website to confirm the patched version available for your specific model variant.

Can I protect my router without patching?

Partial mitigation is possible: restrict access to the router's web management interface using firewall rules, implement network segmentation to limit untrusted access, and disable remote management if you do not require it. However, these are temporary measures. Patching is the proper remediation and should be completed as soon as feasible.

What happens if the router is exploited—will I know about it?

Yes, typically. The device will reboot or become unresponsive, causing immediate user-facing network outage. If you notice sudden restarts or loss of connectivity to your Tenda FH451, especially correlating with security alerts, this may indicate exploitation or scanning activity.

This analysis is based on vulnerability data published as of June 2026. Patch availability and vendor guidance may change; always verify current remediation steps against the official Tenda advisory. This assessment does not constitute legal or regulatory advice. Organizations must independently assess their exposure, test patches in non-production environments before deployment, and align remediation efforts with their risk tolerance and operational schedules. No active exploitation has been confirmed in this summary; however, the ease of exploitation warrants prompt patching. For questions specific to your infrastructure, consult your security team or the device vendor directly. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).