HIGH 7.5

CVE-2026-36803: Tenda PW201A Buffer Overflow DoS Vulnerability

A buffer overflow vulnerability has been identified in Tenda PW201A v1.0.5, a wireless power management device. The vulnerability exists in how the device handles the 'page' parameter within its QoS (Quality of Service) settings function. An attacker can exploit this by sending a specially crafted HTTP request to cause the device to crash or become unresponsive, effectively disabling it until reboot. No authentication is required to trigger this vulnerability, and it can be exploited remotely over the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda PW201A v1.0.5 was discovered to contain a buffer overflow in the page parameter of the qossetting function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36803 is a classic stack-based or heap-based buffer overflow (CWE-120) in the qossetting function of Tenda PW201A firmware v1.0.5. The vulnerability is triggered by insufficient bounds checking on the 'page' parameter when processing HTTP requests. By sending a request with an oversized page parameter value, an attacker can overflow an adjacent buffer, corrupting memory and causing abnormal termination of the affected process. The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH severity) with a network attack vector, low attack complexity, no privilege requirements, and no user interaction needed. The impact is restricted to availability (DoS); confidentiality and integrity are not affected.

Business impact

For organizations deploying Tenda PW201A devices in network infrastructure, this vulnerability poses a denial-of-service risk. An attacker with network access to the device can remotely disable power management capabilities, potentially affecting facility operations, data center uptime, or networked device availability depending on the deployment context. The ease of exploitation (no authentication required) means any internet-connected instance is at risk. Incident response and recovery efforts would be required to restore service, creating operational disruption and potential financial impact.

Affected systems

The vulnerability affects Tenda PW201A v1.0.5 specifically. Users should verify whether they are running this exact firmware version. Other versions of the PW201A and other Tenda product lines may or may not be affected; consult the vendor's advisory for a complete product scope. Given that no vendors_products list was provided in the vulnerability record, affected organizations should confirm their device model and firmware version against official Tenda documentation.

Exploitability

Exploitability is high. The vulnerability requires only network access and a simple HTTP request—no authentication, special privileges, or user interaction is needed. The attack can be launched by any network-adjacent attacker, including those on the internet if the device is exposed. Crafting the malicious HTTP request is straightforward once the vulnerable parameter and overflow threshold are identified. No exploit code is needed; a basic fuzzing or manual overflow attempt against the page parameter will trigger the DoS condition.

Remediation

The primary remediation is to upgrade Tenda PW201A firmware to a patched version released by Shenzhen Tenda Technology Co., Ltd. Contact the vendor or check their support portal for firmware updates addressing CVE-2026-36803. As an interim measure, restrict network access to the device by placing it behind a firewall, limiting HTTP access to trusted administrative networks only, or temporarily disabling the device if it is not critical to operations. Monitor for any unexpected device crashes or unresponsiveness that may indicate exploitation attempts.

Patch guidance

Visit the official Tenda support website or contact Tenda customer support to obtain the latest firmware version for PW201A. Firmware updates typically involve downloading the image, logging into the device's management interface, and uploading the new firmware through the web UI or using a management tool. Before applying patches in production, test in a non-critical environment to ensure compatibility and proper functionality. Document the current firmware version before and after patching for audit purposes.

Detection guidance

Network-level detection can monitor for HTTP requests containing unusually large or malformed 'page' parameter values sent to the device's QoS settings endpoint. Intrusion detection systems (IDS) or web application firewalls (WAF) should be configured to flag requests that exceed normal parameter length thresholds. On the device itself, monitor system logs for unexpected process crashes, core dumps, or resets correlated with incoming HTTP traffic. If the device supports NetFlow or syslog, review for signs of abnormal traffic patterns or service disruptions. Consider implementing rate limiting on HTTP requests to the management interface.

Why prioritize this

This vulnerability merits prompt attention due to its HIGH severity rating, ease of exploitation, and lack of access controls. Any organization with exposed Tenda PW201A v1.0.5 devices should prioritize patching or mitigation immediately. The lack of authentication and user interaction requirements means this is a low-barrier attack suitable for opportunistic exploitation. Prioritize based on whether the device is internet-facing or accessible from untrusted networks.

Risk score, explained

The CVSS v3.1 score of 7.5 (HIGH) reflects the combination of remote network exploitability, low attack complexity, and no authentication requirement—all factors that increase attack likelihood. However, the impact is limited to availability; there is no data exfiltration or system compromise possible. The score would be higher (CRITICAL) if confidentiality or integrity were affected, but the DoS-only impact keeps it in the HIGH range. Organizations should treat this as a significant but not apocalyptic threat.

Frequently asked questions

Is my Tenda device vulnerable if I'm running firmware other than v1.0.5?

The publicly disclosed vulnerability specifically affects v1.0.5. Other versions may or may not be vulnerable; contact Tenda support or review their official vulnerability advisory for the complete list of affected firmware versions.

Can this vulnerability be exploited without internet access to the device?

Yes. Any attacker with network access to the device—whether from the internal network, a compromised device on the same network, or the internet—can exploit this vulnerability. This includes both direct network access and access through tunnels or VPNs.

What is the difference between this vulnerability and other buffer overflows?

This buffer overflow is in a network-facing service (HTTP server) that processes unauthenticated requests, making it trivially exploitable. Many buffer overflows require local access or authentication, significantly reducing risk. Here, an attacker needs only to send a malformed HTTP request.

If my device crashes from this exploit, is my data at risk?

A DoS crash does not typically expose data—the crash terminates the process and may reset the device. However, if the device stores sensitive configuration or logs, ensure they are encrypted and protected. The primary risk is loss of availability, not data breach.

This analysis is based on publicly available information as of the publication and modification dates provided. Vulnerability details, affected versions, patch availability, and remediation steps may change as vendor advisories are updated. Organizations should verify all technical claims, patch versions, and affected product lists against official Tenda Technology security advisories and their own device inventory. No exploit code or weaponized proof-of-concept is provided. This content is for informational purposes to support security decision-making and should not be treated as definitive technical guidance without independent verification. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).