HIGH 7.5

CVE-2026-36792: Stack Overflow in Tenda W3 Router Firmware (DoS)

A flaw has been discovered in Tenda W3 wireless routers (version 1.0.0.3 build 2204) that allows an attacker to crash the device remotely without authentication. By sending a specially crafted network request, an attacker can trigger a memory overflow condition that destabilizes the router's operation, rendering it unavailable until it is manually restarted. This is a denial-of-service vulnerability—the attacker cannot steal data or take control of the device, but can disrupt network connectivity for anyone relying on that router.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formWifiRadioSet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the formWifiRadioSet function, specifically in how it processes the wl_radio HTTP request parameter. The function fails to properly validate the length of user-supplied input before copying it into a fixed-size stack buffer, creating a classic stack overflow condition (CWE-121). Because the affected firmware does not implement modern memory protections or input sanitization, an unauthenticated remote attacker can send an oversized wl_radio parameter value that overwrites stack memory. This corruption can trigger an exception or crash the router's web service and underlying network daemon, causing the device to stop responding to requests.

Business impact

Organizations and households using affected Tenda W3 routers face intermittent or sustained loss of network connectivity if an attacker exploits this flaw. In enterprise or small-office environments, such an outage could disrupt business operations, prevent VoIP or remote work connectivity, and require manual intervention to restart equipment. For managed service providers or network administrators, this vulnerability represents an operational risk—attackers could systematically target fleets of routers to cause widespread service disruptions. The attack requires no authentication or user interaction, making it trivial to execute at scale.

Affected systems

The confirmed affected product is the Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router running firmware version 1.0.0.3 build 2204 or earlier. Organizations should verify whether their deployments include this router model and firmware version. Tenda has released numerous products and firmware revisions; only this specific build has been confirmed vulnerable. Users should consult Tenda's official security advisories to determine if later firmware versions have addressed this issue.

Exploitability

This vulnerability is straightforward to exploit. No special privileges, authentication, or user interaction are required—an attacker on the same network or with network-layer access to the router can send a malicious HTTP request directly. The attack does not depend on social engineering or complex techniques. The CVSS 3.1 score of 7.5 (HIGH) reflects the ease of exploitation (network-accessible, no authentication, no user interaction) and the measurable impact (availability loss). However, exploitation is limited to denial of service; there is no confidentiality or integrity breach. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of the attack vector means defensive prioritization should not be delayed waiting for public proof-of-concept code.

Remediation

Firmware patches from Tenda are the definitive remedy. Organizations should immediately consult Tenda's security advisory for the Tenda W3 router and apply any available firmware updates that address this stack overflow condition. Pending patch availability or deployment, network segmentation can mitigate risk—restricting direct network access to the router's web interface (typically port 80 or 443) using firewall rules or network ACLs will prevent remote exploitation. Additionally, disabling remote management features on the router (if enabled) will block external attackers; however, this does not protect against local network attacks.

Patch guidance

Check Tenda's official support portal or security advisories for firmware updates released after June 2026 for the Tenda W3 model. Verify that any offered update version number is explicitly stated to address CVE-2026-36792 or this stack overflow vulnerability. Apply the patch during a maintenance window and reboot the router afterward. If no patch has been released, implement network-level mitigations (see remediation summary). Test internet and LAN connectivity after patching to confirm proper operation.

Detection guidance

Monitor network traffic for unusual HTTP requests to the router's management interface, particularly those containing abnormally long parameter values in the wl_radio field. Router logs (if available and properly configured) may show web service crashes or unexpected shutdowns correlated with HTTP requests. Intrusion detection systems (IDS) can be configured with signatures to flag oversized or malformed wl_radio parameters sent to the router's web server. Additionally, monitor for intermittent loss of connectivity or unexplained router reboots, which could indicate active exploitation. Network administrators should review access logs for the router's web management port (80/443) and identify any non-standard request patterns originating from unfamiliar IP addresses.

Why prioritize this

This vulnerability merits immediate attention due to its network accessibility, lack of authentication requirement, and the critical operational role of routers in any organization. A HIGH CVSS score combined with trivial exploitability means that a motivated attacker can cause immediate disruption with minimal effort. Although the impact is denial of service rather than data compromise, network unavailability is a significant business risk. Organizations with Tenda W3 routers in production should patch or segment them before attackers add public exploits to toolkits. Do not deprioritize based on the absence from the KEV catalog—that list reflects known active exploitation, not vulnerability severity.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a HIGH-severity, network-accessible vulnerability with no authentication or user interaction required (AV:N/AC:L/PR:N/UI:N). The vector indicates a high impact on availability (A:H)—the core consequence of the stack overflow—but no impact on confidentiality or integrity (C:N/I:N). The unscoped context (S:U) means the impact is confined to the affected router itself, not other system components. A score of 7.5 indicates this is a serious operational risk requiring prompt remediation, though the absence of data-plane compromise keeps it from the critical (9.0+) tier.

Frequently asked questions

Can this vulnerability be exploited over the internet, or only from the local network?

If the router's web management interface is accessible over the internet (which is not a security best practice), then yes, the vulnerability can be exploited remotely from anywhere. However, even if remote management is disabled, an attacker on the same LAN as the router can exploit it. We strongly recommend disabling remote management and restricting web interface access via firewall rules.

Does this vulnerability affect newer Tenda router models or only the W3?

The vulnerability has been confirmed only in the Tenda W3 running firmware 1.0.0.3 build 2204 or earlier. Other Tenda router models may have similar issues, but each product line and firmware version must be independently verified. Check Tenda's security advisories for your specific model.

What happens if my router is compromised via this attack?

The attacker can crash the router, causing it to stop responding to network traffic until you manually power-cycle it. The attacker cannot access your data, change settings, or maintain persistent access. However, repeated exploitation could cause extended outages and operational disruption.

Is there a workaround if I cannot patch immediately?

Yes. Implement firewall rules to block external access to the router's web management port (typically 80 or 443), and disable remote management on the router itself if supported. Network segmentation—isolating the router's management interface to a trusted admin VLAN—will further reduce attack surface. These measures reduce but do not eliminate risk from attackers already on your local network.

This analysis is provided for informational purposes and reflects available data as of the publication date. CVSS scores, affected versions, and patch information are derived from official sources and vendor advisories; verify all patch details against Tenda's official security notices before deployment. SEC.co does not endorse or assume liability for the accuracy of vendor-supplied patches or third-party mitigation strategies. Always test patches in a non-production environment first. The absence of a vulnerability from the CISA KEV catalog does not indicate lower risk or delayed remediation priority. Organizations are responsible for assessing their own risk posture and implementing appropriate countermeasures based on their network architecture and threat landscape. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).