HIGH 7.5

CVE-2026-36797: Tenda G0 Stack Overflow DoS Vulnerability

A stack overflow vulnerability exists in Tenda G0 routers running firmware version 15.11.0.5. The flaw is triggered through an HTTP request parameter used for IP-MAC binding rules, allowing unauthenticated attackers to crash the device remotely. No code execution is possible, but the impact is a complete denial of service—the router becomes unavailable until manually rebooted.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a stack overflow in the IPMacBindRuleIp parameter of the formIPMacBindModify function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36797 is a classic stack overflow in the formIPMacBindModify function, specifically in how the IPMacBindRuleIp parameter is processed. The vulnerability stems from insufficient bounds checking (CWE-120: Buffer Copy without Checking Size of Input) when copying user-supplied data into a fixed stack buffer. An attacker can craft an oversized HTTP request containing this parameter to overwrite the stack and crash the affected process, resulting in denial of service. The CVSS 3.1 score of 7.5 (HIGH severity) reflects the network-accessible attack vector requiring no authentication or user interaction, though the impact is limited to availability.

Business impact

Organizations deploying Tenda G0 routers as edge network infrastructure face service disruption risk. A successful attack renders the router non-functional, potentially affecting all dependent network segments until the device is manually power-cycled. This is particularly problematic in remote or branch office deployments where physical access is limited. The vulnerability does not enable data exfiltration, authentication bypass, or lateral movement, but its ease of exploitation (no credentials or user interaction required) makes it attractive for disruptive attacks or extortion scenarios. Businesses should evaluate whether affected routers are critical to continuity and prioritize accordingly.

Affected systems

Tenda G0 routers running firmware version 15.11.0.5 are confirmed vulnerable. Organizations should verify their current firmware version via the router's administrative interface or configuration export. The vendor has not published a list of broader affected versions in the source data; you should consult Tenda's official security advisory to determine if earlier or later firmware versions are impacted. Tenda has not released patch information in the available disclosure, so immediate remediation options are limited to isolation, replacement, or firmware updates if available from the vendor.

Exploitability

This vulnerability is straightforward to exploit. No authentication is required—an attacker simply needs network access to the router's HTTP interface (typically the WAN-facing management port or internal network). The attack is deterministic: a properly crafted oversized HTTP request with a malformed IPMacBindRuleIp parameter reliably crashes the device. Proof-of-concept exploit code likely exists or can be rapidly developed given the simplicity of the underlying flaw. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the low barrier to exploitation suggests that could change. Organizations should assume active exploitation is possible or imminent if routers are internet-exposed or accessible to untrusted network segments.

Remediation

First, verify your Tenda G0 firmware version and confirm whether it matches 15.11.0.5. If you are running this version, immediately consult Tenda's official security advisories for available firmware patches. If no patch is available, consider these interim measures: (1) Restrict HTTP/HTTPS access to the router's administrative interface using firewall rules or network segmentation—limit management access to authorized administrative networks only; (2) Disable remote management if the router supports it; (3) Monitor for unexpected router reboots as a sign of exploitation attempts; (4) Plan replacement with an alternative router model if Tenda does not release a timely patch. Test any firmware update in a non-production environment first.

Patch guidance

Verify the latest firmware available from Tenda's support site for the G0 model. As of the vulnerability disclosure date (June 2026), no specific patch version number is confirmed in the source data. Contact Tenda support or check their security advisory page for the recommended firmware version that addresses CVE-2026-36797. Firmware updates for network devices should be applied during a maintenance window to avoid service disruption. Back up the router configuration before updating. Follow Tenda's documented update procedure to avoid bricking the device. Once patched, confirm the router is functioning correctly and that network connectivity is stable.

Detection guidance

Monitor for HTTP requests to your Tenda G0 routers that contain unusually long or malformed parameters in the IP-MAC binding configuration interface (typically accessible at the router's management URL). Intrusion detection systems can be tuned to flag oversized HTTP POST/GET requests targeting known vulnerable endpoints. Check router logs for unexpected restarts, crashes, or error messages from the binding rule processing function. Network-based detection is challenging without vendor-provided signatures, but organizations can baseline normal traffic patterns and alert on anomalies. If possible, enable debug logging on the router to capture details of crashes. Implement network segmentation so that only authorized administrators can reach the management interface.

Why prioritize this

Despite a HIGH CVSS score, this vulnerability should be prioritized based on exploitability and your network topology. If your Tenda G0 routers are internet-facing or accessible from untrusted networks, patch or isolate them immediately—the low barrier to exploitation and high likelihood of active scanning make this urgent. If routers are strictly behind firewalls and accessible only from trusted management networks, the risk is lower, but you should still plan a patch cycle within 30 days. The lack of KEV catalog status does not indicate low risk; it suggests either the vulnerability was recently disclosed or active exploitation has not yet been formally tracked by federal agencies. Organizations should not use KEV status as the sole prioritization criterion.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects a HIGH severity vulnerability with critical attack prerequisites: no authentication (PR:N), no user interaction (UI:N), and direct network accessibility (AV:N, AC:L). The impact scope is unchanged (S:U), and the confidentiality and integrity impacts are none (C:N, I:N), but availability impact is severe (A:H) because the router becomes completely unavailable after a successful attack. The score accurately represents the ease of exploitation but does not account for business context—organizations running these routers as non-critical devices may rate the risk lower than the score suggests, while those depending on them for critical connectivity may rate it higher. Use CVSS as a technical baseline, not the sole prioritization input.

Frequently asked questions

Is my Tenda G0 router vulnerable if I'm running a different firmware version?

The confirmed vulnerable version is 15.11.0.5. Other versions may or may not be affected depending on whether they contain the same code path. Check Tenda's security advisory for the full list of affected versions. Do not assume other versions are safe without vendor confirmation.

Can this vulnerability be exploited if my router is behind a firewall and not internet-exposed?

Exploitability depends on network access. If the router's management interface is only accessible from trusted internal networks, the risk is significantly lower but not eliminated—disgruntled insiders or compromised internal devices could still attack it. If any untrusted device can reach the router, the vulnerability is critical. Network segmentation is essential.

What happens when the vulnerability is exploited?

The router crashes and becomes unavailable until it is manually power-cycled. No data is stolen, no accounts are compromised, and the attacker cannot gain persistent access. The impact is purely denial of service. After reboot, the router functions normally until the next attack.

Should I replace my Tenda G0 router if no patch is released?

If Tenda releases a patch within a reasonable timeframe (30-90 days), patching is the most cost-effective option. If the vendor does not patch or offers only extended timelines, replacement with a supported alternative is prudent, especially if the router is business-critical or internet-exposed. Evaluate your risk tolerance and the cost of replacement against the cost of an extended outage from a DoS attack.

This analysis is provided for informational purposes and reflects information available as of the vulnerability disclosure date. CVSS scores and affected versions are sourced from official CVE records; verify all details against Tenda's official security advisories before taking action. Exploit code examples are not provided in this document. Organizations must conduct their own risk assessments based on their environment and should consult with Tenda support and their security teams for guidance specific to their deployments. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for decisions made based on this information. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).