CVE-2026-36805: Tenda G0 Buffer Overflow Denial of Service Vulnerability
Tenda G0 routers running firmware version 15.11.0.5 contain buffer overflow vulnerabilities in a function that handles QQ list data. An attacker can send a specially crafted HTTP request to crash the device, causing a denial of service. No authentication is required, and the attack can be launched over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain multiple buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36805 is a stack-based buffer overflow vulnerability (CWE-121) in the Saveqqlist function of Tenda G0 v15.11.0.5. The vulnerability exists in the processing of the qqStr and markStr HTTP parameters. Insufficient input validation allows attackers to overwrite stack memory with controlled data, resulting in uncontrolled process termination. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-accessible, unauthenticated attack surface with high availability impact.
Business impact
Tenda G0 routers are commonly deployed as edge network devices in small offices and home networks. A successful DoS attack renders the device inoperable, interrupting internet connectivity and any services dependent on it. For organizations relying on these routers for branch office or remote site connectivity, such outages can cascade into broader business disruption. The ease of exploitation increases the likelihood of opportunistic attacks at scale.
Affected systems
This vulnerability affects Tenda G0 firmware version 15.11.0.5. Organizations should inventory Tenda G0 devices and determine their current firmware versions. The vulnerability description does not enumerate all affected firmware versions; users of other G0 versions should consult Tenda's official security advisories to determine whether they are in scope.
Exploitability
This vulnerability is readily exploitable. It requires only network access, no authentication, and no user interaction. An attacker can craft a malicious HTTP request targeting the vulnerable Saveqqlist function and send it to any exposed Tenda G0 device. The low attack complexity and lack of privilege or interaction requirements make this attractive for automated scanning and opportunistic exploitation. However, the vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been widely documented at this time.
Remediation
Apply the latest firmware update from Tenda that patches the buffer overflow in the Saveqqlist function. Verify the patched version against Tenda's official security advisory to confirm the fix is included. As an interim measure, restrict HTTP access to the device's management interface using firewall rules, network segmentation, or access control lists to limit exposure to potential attackers.
Patch guidance
Check Tenda's official support website and security advisories for firmware updates addressing CVE-2026-36805. Firmware updates for Tenda G0 devices are typically deployed through the device's web interface (Settings > Firmware Upgrade) or via a downloadable image from Tenda's support portal. Before applying any update, back up your device configuration. Test updates in a non-production environment if feasible. Document the pre-patch and post-patch firmware versions for compliance and change management records.
Detection guidance
Monitor for HTTP POST/GET requests to the Tenda G0 device containing suspicious parameters named 'qqStr' or 'markStr' with unusually long payloads or binary data. Check device logs for unexpected reboots or process crashes coinciding with HTTP requests. Network-based detection can identify scanning patterns targeting Tenda G0 devices on standard HTTP ports. Intrusion detection systems may flag attempts to overflow stack buffers via web parameters. Device uptime monitoring can alert to unexpected restarts caused by DoS attacks.
Why prioritize this
Although this vulnerability is not yet on the CISA KEV catalog, it warrants high priority due to its accessibility (network-based, no authentication), high availability impact, and the prevalence of Tenda G0 routers in distributed network architectures. The unauthenticated DoS vector poses immediate operational risk. Organizations with Tenda G0 devices in production should prioritize patching within 30 days to reduce exposure before the vulnerability becomes more widely known or exploited.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects high attack accessibility combined with full availability impact. The vulnerability lacks integrity or confidentiality impact (no data exfiltration or modification), but the ability to remotely crash network equipment without authentication justifies the elevated score. The score does not account for real-world factors such as device prevalence or attacker motivation, which may elevate or lower risk depending on your environment.
Frequently asked questions
Does this vulnerability allow attackers to gain remote code execution or steal data?
No. This vulnerability causes a denial of service through a buffer overflow that crashes the device. It does not enable code execution, privilege escalation, or data exfiltration. The impact is limited to availability.
Can this vulnerability be exploited if the device's HTTP interface is not exposed to the internet?
The vulnerability requires network-accessible HTTP access to the Tenda G0 device. If the device is behind a firewall or not directly exposed to the internet, the attack surface is reduced. However, if an attacker has internal network access or if the device is misconfigured with open ports, they can exploit the vulnerability from within the network.
Should I disable the Tenda G0 device until a patch is available?
Disabling the device is not necessary if you implement network controls. Restrict HTTP access to the device using firewall rules or access control lists to allow only trusted administrators. This mitigates the vulnerability until a patch is deployed. Monitor the device for unexpected reboots as a sign of exploitation attempts.
What firmware version should I upgrade to?
Consult Tenda's official security advisory and product support page for the patched firmware version. The current vulnerable version is 15.11.0.5. Tenda will publish a specific patched version number in their advisory; do not rely on version numbers from unofficial sources.
This analysis is provided for informational purposes based on publicly available vulnerability data. Actual patch versions, release dates, and affected firmware ranges should be verified directly with Tenda's official security advisories and vendor notifications. SEC.co does not provide guarantees regarding the completeness or accuracy of vulnerability data. Organizations should conduct their own risk assessment and testing before deploying patches or security changes in production environments. This vulnerability analysis does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2025-52292HIGHGPAC MP4Box Stack Buffer Overflow Denial of Service
- CVE-2025-66280HIGHQNAP Integer Overflow Vulnerability: Patch & Risk Assessment
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi