HIGH 7.5

CVE-2026-36794: Tenda W3 Router Stack Overflow Denial of Service

A Tenda W3 wireless router running firmware version 1.0.0.3(2204) contains a flaw in how it processes login credentials. An attacker can send a specially crafted web request with oversized username or password fields to crash the router, temporarily knocking it offline. No authentication is required—an attacker on the network can trigger this remotely. The vulnerability causes a denial-of-service condition but does not leak data or allow unauthorized access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain multiple stack overflows in the R7WebsSecurityHandler function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36794 is a stack overflow vulnerability in Tenda W3 v1.0.0.3(2204) affecting the R7WebsSecurityHandler function. The flaw exists in improper bounds checking on the username and password parameters within HTTP requests sent to the router's web interface. When these parameters receive input exceeding the allocated stack buffer, a stack overflow occurs, corrupting the function's execution context and crashing the process. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). Because the affected web handler does not require authentication and the router accepts HTTP requests from any network source, the attack surface is broad and pre-authentication exploitation is possible.

Business impact

Router outages directly disrupt internet connectivity for users and any services depending on the router. In small business or remote office settings, a denial-of-service via this flaw could interrupt voice-over-IP systems, cloud application access, and surveillance feeds. Recovery requires manual reboot. For managed service providers or IT teams maintaining fleets of Tenda routers, this vulnerability increases operational burden if exploited at scale. The lack of data breach or lateral movement risk limits impact primarily to availability; however, availability failures are operationally significant for network-critical equipment.

Affected systems

Tenda W3 Wireless Router firmware version 1.0.0.3(2204) is confirmed vulnerable. The vulnerability is present in the R7WebsSecurityHandler function, which is part of the router's web-based management interface. Organizations and individuals using this specific firmware version on Tenda W3 routers should treat their devices as affected. Verify your router's firmware version in the device's web administration panel or system information page; the vulnerable version identifier is 1.0.0.3(2204).

Exploitability

Exploitability is straightforward and does not require sophisticated techniques. An attacker needs only the ability to send HTTP requests to the router's web interface (typically reachable at the router's default gateway IP, commonly 192.168.0.1). No authentication credentials are needed to trigger the overflow. Crafting the malicious payload requires knowledge of buffer sizes or fuzzing, but proof-of-concept tools could be developed quickly by someone familiar with web-based network device exploitation. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects this: network-accessible, low attack complexity, no privilege or user interaction required, and high impact to availability. The attack is not dependent on user interaction or complex conditions, making it practical for adversaries.

Remediation

Tenda has not published a patched firmware version in the source data reviewed. Organizations should contact Tenda support or check the product support page for an updated firmware release that addresses this stack overflow. In the interim, mitigating controls include restricting network access to the router's web management interface by disabling remote administration features, configuring the router to deny HTTP/HTTPS requests from untrusted networks, and isolating the router to a protected management segment if possible. However, these controls are often impractical in typical deployments; patching is the definitive solution.

Patch guidance

Verify the latest firmware release available from Tenda's official support channels for the W3 model. The vulnerable version is 1.0.0.3(2204); any subsequent release should be evaluated against Tenda's advisory to confirm the stack overflow in R7WebsSecurityHandler has been remediated. Firmware updates are typically applied via the router's web interface under System Settings or Administration. Before updating, back up any custom configurations. Plan the update during a maintenance window to avoid service interruption. Once updated, verify the new firmware version appears in the device's system information to confirm successful deployment.

Detection guidance

Network-based detection: monitor for HTTP POST requests to the router's web interface with abnormally large payloads in the username or password fields—typical credential fields should not exceed a few hundred bytes. Anomalous request sizes, repeated requests in short timeframes, or requests from suspicious external sources warrant investigation. Device-based detection: enable router logging if available and watch for repeated web service restarts or crashes, which may indicate exploitation attempts. Intrusion detection systems configured with signatures for buffer overflow attempts against web management interfaces on Tenda devices can raise alerts. Behavioral indicators include sudden router reboot cycles or loss of remote management connectivity. Correlation with failed authentication attempts may suggest attack reconnaissance.

Why prioritize this

This vulnerability merits high prioritization for any organization operating Tenda W3 routers at firmware 1.0.0.3(2204). The CVSS score of 7.5 (HIGH) reflects the combination of network accessibility, no authentication requirement, and guaranteed availability impact. While data confidentiality and integrity are not at risk, the denial-of-service impact on network infrastructure justifies urgent patching once a fix is available. The vulnerability is readily exploitable, meaning exploitation in the wild is plausible if public disclosure or proof-of-concept tools emerge. Inventory affected devices immediately and prioritize firmware updates as soon as vendor patches are released.

Risk score, explained

The CVSS 3.1 score of 7.5 is derived from: Attack Vector (Network) indicating remote exploitability, Attack Complexity (Low) reflecting straightforward exploitation, Privileges Required (None) and User Interaction (None) confirming pre-authentication unauthenticated attack capability, Scope (Unchanged) limiting impact to the router itself, and Availability (High) indicating the service becomes completely unavailable upon successful exploitation. Confidentiality and Integrity impacts are rated None because the overflow does not leak data or allow unauthorized modification of router settings. The HIGH severity reflects the practical threat: network infrastructure unavailability is a critical operational concern, and the ease of exploitation makes this a realistic and imminent risk if not patched.

Frequently asked questions

Can this vulnerability be exploited from the internet if the router is behind NAT?

Yes, if the router's web management interface is exposed (e.g., via port forwarding, UPnP, or remote administration enabled). If the router is configured in standard NAT mode with default settings and remote administration disabled, the web interface is not directly reachable from the internet. However, an attacker on the same local network (WiFi or wired) can always exploit it. Verify that your router has remote administration disabled and no port forwarding rules expose the management port.

Does this vulnerability affect other Tenda router models?

The vulnerability is confirmed in the Tenda W3 at firmware 1.0.0.3(2204). The R7WebsSecurityHandler function may exist in other Tenda models, but vulnerability status must be verified through Tenda's advisory or testing. Do not assume other Tenda router models are unaffected; check Tenda's official security announcements for a complete list of impacted products and firmware versions.

Will a factory reset protect my router if I cannot update the firmware immediately?

A factory reset restores default firmware but does not eliminate the underlying vulnerability if you revert to version 1.0.0.3(2204). Factory reset is not a substitute for patching. Disable remote administration and restrict web interface access to trusted local IPs as a temporary mitigation, but these do not prevent exploitation by attackers on your local network.

How do I verify my Tenda W3 firmware version?

Log into your router's web interface (typically 192.168.0.1 or 192.168.1.1), look for System Settings, Administration, or About sections, and locate the firmware version field. If it displays 1.0.0.3(2204) or similar version string, your device is vulnerable. Document this during your vulnerability scan and prioritize patching once vendor updates are available.

This analysis is based on the CVE record and public vendor information current as of the publication date. Patch availability and timeline are subject to vendor release schedules; readers must verify directly with Tenda for the latest firmware release and security advisories. This document does not constitute legal or compliance advice. Organizations should adapt remediation timelines to their risk tolerance and operational constraints. Exploit code or detailed proof-of-concept is not provided; security researchers are encouraged to follow responsible disclosure practices. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).