HIGH 7.5

CVE-2026-36791: Stack Overflow in Tenda O3v3 Firmware Enables DoS Attacks

A stack overflow vulnerability exists in Tenda O3v3 router firmware version 1.0.0.5. Attackers can send a specially crafted HTTP request to crash the device, rendering it temporarily unavailable. The flaw is in how the device processes certain configuration parameters and does not require authentication or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda O3v3 v1.0.0.5 was discovered to contain a stack overflow in the save_list_data parameter of the formSetCfm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36791 is a stack buffer overflow (CWE-121) in the formSetCfm function of Tenda O3v3 v1.0.0.5 firmware. The vulnerability exists in the handling of the save_list_data parameter when processing HTTP requests. An unauthenticated, remote attacker can trigger the overflow by sending a malformed request, causing the device to crash and denying legitimate users access to network services. The CVSS 3.1 score of 7.5 reflects the high availability impact with low complexity and no authentication requirement.

Business impact

Organizations relying on Tenda O3v3 routers face the risk of unexpected network disruptions. A DoS attack leveraging this vulnerability could take the device offline during critical business hours, interrupting internet connectivity and dependent services. The impact severity depends on whether the router serves as a primary or backup gateway and the recovery time acceptable for your operations. Residential and small office users are particularly vulnerable due to limited failover infrastructure.

Affected systems

Tenda O3v3 running firmware version 1.0.0.5 is confirmed vulnerable. This is a wireless router commonly deployed in small office/home office (SOHO) and residential environments. Organizations using this device should verify their firmware version and deployment scope immediately. No information suggests other Tenda product lines are affected, but firmware updates across the product family should be evaluated.

Exploitability

Exploitation is straightforward and requires minimal technical skill. An attacker positioned anywhere on the internet can trigger the vulnerability by sending a single HTTP request crafted to overflow the buffer; no authentication, user interaction, or social engineering is necessary. The attack is denial-of-service only—it does not grant remote code execution or data exfiltration—but the ease of exploitation means vulnerable devices are attractive targets for service disruption campaigns.

Remediation

Firmware updates are the primary remediation path. Contact Tenda support or check your router's web interface for available updates beyond version 1.0.0.5. Apply patches as soon as testing permits. In the interim, network segmentation or firewall rules restricting access to the device's management interface from untrusted networks may reduce exposure. Monitor device logs for unexpected reboots or error messages that might indicate exploitation attempts.

Patch guidance

Check Tenda's official support website or your router's firmware update mechanism for releases newer than v1.0.0.5. Firmware patches are typically applied through the device's web management interface under System Settings or Administration. Verify that the patch is from an official Tenda source and document the version deployed post-update. Test the device after patching to confirm connectivity and normal operation. If automatic updates are available, consider enabling them to prevent future exposure.

Detection guidance

Monitor router logs for repeated HTTP requests containing unusually long or malformed parameters to the formSetCfm function or configuration endpoints. Look for device reboots or service interruptions preceded by suspicious HTTP traffic. Network-based detection is limited without deep packet inspection, but abnormally large HTTP POST requests to the router's web interface are a potential indicator. Establish a baseline of normal management traffic and alert on deviations. If the device becomes unresponsive, document the timing and check system logs after recovery.

Why prioritize this

Despite the DoS-only impact, this vulnerability merits prompt attention because exploitation is trivial and requires no privileges or interaction. The affected device is Internet-facing in most deployments, making it accessible to any attacker. Network availability is a critical business function; even temporary disruptions can cascade into broader outages. The high CVSS score reflects this risk profile. Prioritize patching over other medium-severity vulnerabilities, especially if your organization relies on this router for production connectivity.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH severity) reflects a network-accessible vulnerability with low attack complexity, no privilege requirements, and no user interaction needed. The vector AV:N/AC:L/PR:N/UI:N indicates remote exploitability with minimal barriers. Impact is limited to availability (A:H), as the vulnerability causes denial of service without compromising confidentiality or integrity. The score balances the ease of exploitation against the bounded impact of the attack.

Frequently asked questions

Can this vulnerability be exploited remotely without access to the local network?

Yes. The vulnerability is network-accessible from the Internet if the router's web management interface is exposed or if the affected parameter is accessible through normal routing functions. Organizations should ensure management interfaces are not publicly routable and use firewall rules to restrict access.

Does the patch completely prevent exploitation, or are there known bypasses?

Tenda's patch should address the buffer overflow condition in the save_list_data parameter processing. However, verify the patch version against Tenda's official advisory to confirm the fix is complete. Bypasses are not currently public, but apply updates promptly to avoid future disclosures.

Can I protect my router without updating firmware immediately?

Temporary mitigations include disabling remote management access, restricting HTTP access via firewall rules, and monitoring for reboots or service interruptions. However, these are stop-gaps. Firmware patching is the proper remediation and should be scheduled as soon as your testing cycle permits.

What should I do if the router crashes during a critical business period?

Keep a backup network path (mobile hotspot, redundant ISP, or secondary router) available for critical services. Have Tenda support contact information and the latest firmware image ready. After recovery, apply the patch immediately and consider deploying a redundant device if this router is single-point-of-failure infrastructure.

This analysis is based on publicly disclosed vulnerability data as of June 2026. Patch availability, version numbers, and vendor timelines should be verified directly with Tenda Technology Co., Ltd. SEC.co does not host or distribute exploit code and recommends coordinated disclosure practices. Organizations should conduct their own risk assessment based on their network architecture, device deployment, and business criticality before patching decisions. This document is for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).