CVE-2026-36800: Tenda G0 Router Buffer Overflow – DoS Vulnerability & Patch Guidance
A buffer overflow vulnerability exists in Tenda G0 router firmware version 15.11.0.5, specifically in how the device processes IP-to-MAC binding deletion requests. An attacker on the network can send a specially crafted HTTP request that causes the router to crash or become unresponsive, disrupting network connectivity for all devices relying on it. No authentication is required to trigger this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a buffer overflow in the IPMacBindIndex parameter of the formIPMacBindDel function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36800 is a classic stack-based buffer overflow (CWE-120) located in the formIPMacBindDel function's handling of the IPMacBindIndex parameter. The vulnerability stems from insufficient bounds checking on user-supplied input before copying it into a fixed-size buffer. The attack vector is network-accessible without authentication, making it trivial to exploit from any device with HTTP access to the router's management interface. The resulting memory corruption causes immediate denial of service through process termination or system reboot.
Business impact
Router availability is critical to business continuity. A successful exploit interrupts all downstream network services—email, VoIP, cloud access, and remote work connectivity. For small offices or remote branches relying on a single Tenda G0 unit, this represents a complete network outage. Organizations cannot reliably defend against this without patching, as the attack requires no special privileges or user interaction. Frequency of exploitation depends on attacker proximity to the network and visibility of the device.
Affected systems
Tenda G0 firmware version 15.11.0.5 is confirmed affected. Organizations should verify whether they operate this router model in their network infrastructure, including branch offices, remote sites, or as secondary connectivity. The vendors_products field in the source data is empty, so the scope of affected variants or firmware versions across the product line should be confirmed against Tenda's official security advisory.
Exploitability
Exploitability is very high. The attack requires only network access (no authentication), a standard HTTP client, and knowledge of the parameter name. The payload can be delivered via a single crafted GET or POST request. No user interaction is needed. The barrier to weaponization is low; an attacker with network visibility can launch an attack in minutes. The lack of CVSS Attack Complexity modifiers (AC:L) and the direct denial-of-service outcome make this immediately actionable for threat actors.
Remediation
Firmware patching is the definitive remediation. Verify the availability of a patched firmware release from Tenda and deploy it across all affected G0 units. Until patching is feasible, restrict HTTP access to the router's management interface via network segmentation—limit administrative access to a trusted management VLAN or IP whitelist. Disable remote management if it is not required. Monitor access logs for anomalous HTTP requests to the device.
Patch guidance
Contact Tenda support or check their official security advisory for patched firmware versions greater than 15.11.0.5 for the G0 model. Test patches in a non-production environment before rollout. Verify patch deployment by confirming firmware version in the router's system information panel. For legacy or end-of-life units, determine whether vendor support remains available; if not, consider hardware replacement as part of your network refresh cycle.
Detection guidance
Monitor HTTP traffic to the router's management interface for requests containing the 'IPMacBindIndex' parameter, particularly those with unusually long values or non-standard encoding. Baseline normal IP-MAC binding operations and alert on deviations. Review access logs for failed HTTP requests or unexpected device restarts correlated with management interface access. Network-based anomaly detection on router availability can serve as a tripwire for exploitation attempts.
Why prioritize this
This vulnerability merits high priority due to the combination of network accessibility, lack of authentication, simplicity of exploitation, and direct impact on availability. The CVSS score of 7.5 reflects the severity appropriately. However, organizational impact depends on router deployment: units in critical network paths or serving large user populations warrant immediate patching; units in redundant or non-critical roles may be scheduled within standard maintenance windows, provided they are not directly internet-facing.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is driven by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The network attack vector (AV:N), low complexity (AC:L), and no privilege requirement (PR:N) all lower barriers to exploitation. The unavailability impact (A:H) directly threatens service continuity. The lack of confidentiality or integrity impact (C:N/I:N) prevents a critical rating, but the availability impact is complete for affected devices. Organizations should treat this as a high-priority item that requires remediation within a short timeframe, not a lower-tier issue.
Frequently asked questions
Will patching the router disrupt network service?
Most firmware updates for routers like the Tenda G0 can be applied with a brief reboot cycle (typically 2–5 minutes). Plan patching during a maintenance window and confirm you have access to the device console in case of complications. Pre-test the patch on an identical non-production unit if possible.
Can I mitigate this without patching immediately?
Yes, if the router's management interface is not directly exposed to untrusted networks. Restrict HTTP access to a management VLAN, use an IP whitelist for administrative access, or disable remote management. However, these controls do not eliminate risk if an attacker gains network access. Patching remains the preferred long-term solution.
Is this vulnerability actively exploited in the wild?
The CVE was not marked for inclusion in the Known Exploited Vulnerabilities (KEV) catalog at the time of publication, which suggests active exploitation had not been confirmed by US government agencies. However, the simplicity of the attack means opportunistic exploitation is plausible. Monitor your environment closely and prioritize patching as if active campaigns are underway.
Why is this a buffer overflow and not a 'crash' vulnerability?
A buffer overflow is the root cause; the crash is the observable consequence. The IPMacBindIndex parameter is copied into a fixed-size buffer without bounds checking. Oversized input overwrites adjacent memory, corrupting the process and causing an immediate denial of service. Understanding the root cause helps security teams identify similar patterns in other applications and firmware on the network.
This analysis is based on disclosed vulnerability information as of the publication date and does not constitute a guarantee of patch availability, timeline, or scope. Verify all patch versions, firmware downloads, and compatibility against Tenda's official security advisory before deployment. Organizations should conduct their own risk assessment based on network topology, device usage, and exposure. SEC.co makes no warranty regarding the completeness or accuracy of vendor remediation guidance and recommends independent validation of patched firmware functionality in your environment. Exploitation techniques and proof-of-concept code are not provided in this publication. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution