CVE-2026-36801: Tenda G0 Buffer Overflow Denial of Service Vulnerability
A buffer overflow vulnerability has been identified in Tenda G0 router firmware version 15.11.0.5. The flaw exists in how the device processes the IPMacBindRule parameter when handling IP-MAC binding configuration requests. An unauthenticated attacker on the network can exploit this by sending a specially crafted HTTP request to crash the router, causing a denial of service. No authentication is required, and the attack can be performed remotely over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a buffer overflow in the IPMacBindRule parameter of the formIPMacBindAdd function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36801 is a classic stack-based or heap-based buffer overflow (CWE-120) in the formIPMacBindAdd function of Tenda G0 firmware v15.11.0.5. The vulnerability stems from insufficient input validation of the IPMacBindRule parameter, which fails to enforce bounds checking before copying user-supplied data into a fixed-size buffer. This allows an attacker to overwrite adjacent memory, leading to process termination and denial of service. The attack vector is network-based with no prerequisites: AV:N/AC:L/PR:N/UI:N. The integrity and confidentiality of the system are not directly compromised, but availability is severely impacted (A:H).
Business impact
Affected routers become inoperable until manually rebooted, disrupting network access for all connected users and devices. In business environments, this can interrupt internet connectivity, VoIP services, and internal network access. Repeated attacks could trigger a persistent denial-of-service condition, requiring administrative intervention. Organizations relying on Tenda G0 routers for primary or backup connectivity face operational downtime. The vulnerability is not difficult to exploit, making it a practical attack vector for both opportunistic actors and those conducting network disruption campaigns.
Affected systems
The confirmed affected product is Shenzhen Tenda Technology Co., Ltd Tenda G0 running firmware version 15.11.0.5. Organizations should inventory Tenda G0 devices in their network, particularly those accessible from untrusted networks. While the vendor and product information provided focuses on v15.11.0.5, it is prudent to assume other firmware versions may be similarly vulnerable unless explicitly patched by the vendor. Users should consult Tenda's advisory to confirm which firmware versions are affected and remediated.
Exploitability
This vulnerability is highly exploitable. The attack requires no authentication, no special user interaction, and can be executed by any network-adjacent attacker. The network attack vector (AV:N) and low attack complexity (AC:L) mean that exploitation is straightforward: a single HTTP request with a crafted IPMacBindRule payload will crash the device. Public information about buffer overflow exploitation in embedded systems is readily available. The lack of ASLR, DEP, or stack canaries in many consumer router firmware implementations further reduces the bar for exploitation. This is not currently listed in the CISA KEV catalog, but the simplicity of triggering a DoS makes it a practical threat even without weaponized proof-of-concept code circulating.
Remediation
Tenda should release a firmware patch that implements proper bounds checking and input validation for the IPMacBindRule parameter, ideally including safe string handling functions (e.g., strncpy instead of strcpy) and stack-based protections. Users should immediately check Tenda's official support website for available firmware updates addressing this CVE. Firmware updates for consumer routers are often available via the web interface under System Settings > Firmware Upgrade. Before applying any update, users should note their current configuration and back up settings where possible. If no patch is available from the vendor, network-based mitigations such as restricting access to the router's web interface via firewall rules may reduce exposure.
Patch guidance
Monitor Tenda's official support portal and security advisories for a patched firmware release. When available, apply the update through the router's administrative interface (typically accessible via 192.168.0.1 or 192.168.1.1). Verify the firmware version after reboot to confirm successful installation. For organizations managing multiple Tenda G0 devices, consider staging the patch in a test environment first to ensure no configuration conflicts. As of the last modification date (2026-06-17), no specific patch version number has been released; coordinate with your vendor contact or check their security bulletin for timeline and download links.
Detection guidance
Monitor HTTP traffic to Tenda G0 management interfaces for requests containing the IPMacBindRule parameter, especially those with unusually long or binary-laden payloads. Log sudden device reboots or loss of connectivity from known Tenda G0 IP addresses. Network intrusion detection systems should flag HTTP POST requests to the formIPMacBindAdd endpoint with oversized or malformed parameters. On the device itself (if logs are accessible), look for segmentation faults, kernel panic messages, or unexpected restarts correlated with incoming HTTP requests. Consider placing Tenda G0 routers on a dedicated management VLAN with restricted access to reduce the attack surface.
Why prioritize this
This vulnerability merits high priority despite its lack of KEV status. The CVSS 3.1 score of 7.5 (HIGH severity) reflects the ease of exploitation, lack of prerequisites, and direct impact to network availability. In an organization dependent on Tenda G0 for production connectivity, a single unauthenticated network request can trigger outage. The low attack complexity and absence of authentication requirements mean this will likely be targeted by both automated scanners and focused attackers. Patching should begin immediately upon vendor patch availability, and interim network segmentation is advised for high-criticality deployments.
Risk score, explained
The CVSS 3.1 score of 7.5 is justified by the combination of network accessibility (AV:N), low complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N). While confidentiality and integrity are not compromised, availability is severely impacted (A:H). In practical terms, any attacker with network access can instantly disable the device. The scope is unchanged (S:U), meaning the impact is limited to the router itself, not the broader system. Organizations should treat this as a critical availability risk proportional to their dependence on the affected hardware.
Frequently asked questions
Can an attacker gain administrative access or steal data with this vulnerability?
No. The buffer overflow causes a denial of service by crashing the router; it does not provide a pathway to code execution, authentication bypass, or data exfiltration based on the current analysis. The impact is limited to disrupting network availability.
Is my Tenda router automatically vulnerable if I own a G0 model?
Potentially. The confirmed vulnerability affects firmware version 15.11.0.5. Check your current firmware version under System Settings > System Tools > Firmware Version. If you are running v15.11.0.5, you are vulnerable. Other versions may be affected; consult Tenda's security advisory for a complete list of impacted firmware releases.
What should I do immediately if I cannot wait for a patch?
Restrict network access to your Tenda G0's management interface (typically port 80/443) using a firewall or access control list. Only allow administrative access from trusted IP addresses or management VLANs. Disable remote management features if they are enabled. This reduces the exposure window until a vendor patch is available.
Why is this not on the CISA KEV (Known Exploited Vulnerabilities) list yet?
The CISA KEV catalog tracks vulnerabilities observed in active attacks in the wild. This CVE may be added to KEV if exploitation becomes widespread. Regardless of KEV status, organizations should not delay remediation; the vulnerability is trivial to exploit and poses immediate operational risk.
This analysis is based on publicly available vulnerability data as of 2026-06-17. Specific patch version numbers, vendor advisories, and affected firmware versions beyond v15.11.0.5 should be verified directly with Shenzhen Tenda Technology Co., Ltd. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment and testing in a controlled environment before deploying patches or security controls. This document is for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution