CVE-2026-36802: Tenda PW201A Buffer Overflow DoS Vulnerability
A memory overflow vulnerability exists in Tenda's PW201A v1.0.5 wireless access point. The flaw is in how the device processes the 'page' parameter in its SafeMacFilter function. An unauthenticated attacker can send a specially crafted HTTP request to crash the device, causing a denial of service. No user interaction is required.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda PW201A v1.0.5 was discovered to contain a buffer overflow in the page parameter of the SafeMacFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36802 is a classic buffer overflow (CWE-120) in the SafeMacFilter function of Tenda PW201A v1.0.5. The vulnerability stems from insufficient bounds checking on the 'page' parameter during HTTP request processing. When a malformed request exceeds the allocated buffer, stack or heap memory is overwritten, leading to application crash and loss of device availability. The attack vector is network-based, requires no authentication or special privileges, and impacts the availability attribute of the device.
Business impact
Organizations deploying Tenda PW201A v1.0.5 units face intermittent network outages if exploited. A DoS attack could disrupt wireless connectivity for entire floors or branches, interrupting productivity and potentially affecting dependent services. Repeated attacks may suggest reconnaissance by a threat actor preparing for lateral movement or data exfiltration. While remote code execution is not confirmed, the underlying memory corruption creates risk for future variant exploitation.
Affected systems
Tenda PW201A version 1.0.5 is confirmed vulnerable. Organizations using this model should verify firmware versions against vendor advisories to determine full scope. Tenda has released updated firmware to address this issue; verify against the vendor advisory for specific patch version numbers and supported devices.
Exploitability
Exploitability is straightforward. The vulnerability requires only a network connection and no authentication, authentication, or user interaction. An attacker can craft and send a single HTTP request from anywhere on the internet to trigger the crash. Proof-of-concept code is likely to emerge post-disclosure, and automated scanning tools may soon detect vulnerable endpoints. CVSS score of 7.5 (HIGH) reflects the ease of exploitation offset by the impact scope limited to availability.
Remediation
Firmware patching is the primary remediation. Tenda has released updated firmware; verify the specific version number and deployment timeline against the vendor advisory. Until patching is completed, consider network segmentation to restrict direct internet access to wireless management interfaces, implement rate-limiting on HTTP requests to the device, and monitor device logs for abnormal access patterns. Additionally, disable the SafeMacFilter feature if not in use.
Patch guidance
1. Check your Tenda PW201A firmware version (navigate to device settings or management portal; verify against the Tenda advisory for the exact patched version number). 2. Download the latest firmware from Tenda's official support site. 3. Back up device configuration before upgrading. 4. Perform a staged rollout in non-critical areas first to ensure stability. 5. Verify successful upgrade and test wireless connectivity and filtering policies post-patch. 6. Document patch date and version for compliance records.
Detection guidance
Monitor for HTTP requests with unusually long or malformed 'page' parameters sent to Tenda device management interfaces (typically port 80 or 443). Network intrusion detection systems (IDS) should be configured to flag requests exceeding normal parameter length thresholds. Log access to SafeMacFilter function endpoints and correlate with device reboots or service interruptions. Endpoint detection and response (EDR) tools on administrative machines can alert on suspicious connections to vulnerable device IPs.
Why prioritize this
Although this is a denial-of-service vulnerability with no confirmed code execution, the HIGH CVSS score, lack of authentication requirement, and ease of remote exploitation make it a priority for patching. The risk of weaponized DoS attacks targeting enterprise wireless infrastructure is significant, and the underlying memory corruption could be a stepping stone for more severe variants. Organizations should prioritize patching within 30 days of advisory publication.
Risk score, explained
CVSS 7.5 (HIGH) reflects: Network attack vector (AV:N) and low complexity (AC:L) result in easy exploitation; no authentication required (PR:N) and no user interaction needed (UI:N) increase likelihood; impact is limited to availability (A:H), not confidentiality or integrity (C:N, I:N), preventing a CRITICAL rating. The score appropriately captures the real-world risk of widespread DoS disruption without overstating the damage scope.
Frequently asked questions
Is remote code execution possible through this vulnerability?
Based on published details, the confirmed impact is denial of service via memory crash. However, buffer overflows can sometimes be escalated to code execution. Organizations should assume code execution is possible in future variants and prioritize patching accordingly.
Can this vulnerability be exploited from inside the network only, or from the internet?
The vulnerability is remotely exploitable from the internet without authentication. Any attacker with network access to the device's management interface can trigger the crash via HTTP.
Do all Tenda PW201A devices have this issue?
Only v1.0.5 is confirmed vulnerable. Other firmware versions and models may not be affected. Verify your specific firmware version in device settings and cross-reference with the vendor advisory before assuming risk.
What should I do if I cannot patch immediately?
Implement compensating controls: disable public internet access to the device management interface, restrict access to trusted administrative IP ranges only, enable firewall rules to limit malformed HTTP requests, and closely monitor device logs for exploitation attempts. Schedule patching within 30 days.
This analysis is provided for informational purposes only and does not constitute professional security advice. Organizations should validate all technical claims against official vendor advisories and conduct independent risk assessment based on their specific environment and threat posture. SEC.co does not warrant the accuracy or completeness of vulnerability details and recommends consulting authoritative sources such as vendor security bulletins, NVD records, and security research publications. Exploit code should never be executed in production environments without explicit authorization from network owners. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution