HIGH 7.5

CVE-2026-36805: Tenda G0 Buffer Overflow Denial of Service Vulnerability

Tenda G0 routers running firmware version 15.11.0.5 contain buffer overflow vulnerabilities in a function that handles QQ list data. An attacker can send a specially crafted HTTP request to crash the device, causing a denial of service. No authentication is required, and the attack can be launched over the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain multiple buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-36805 is a stack-based buffer overflow vulnerability (CWE-121) in the Saveqqlist function of Tenda G0 v15.11.0.5. The vulnerability exists in the processing of the qqStr and markStr HTTP parameters. Insufficient input validation allows attackers to overwrite stack memory with controlled data, resulting in uncontrolled process termination. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network-accessible, unauthenticated attack surface with high availability impact.

Business impact

Tenda G0 routers are commonly deployed as edge network devices in small offices and home networks. A successful DoS attack renders the device inoperable, interrupting internet connectivity and any services dependent on it. For organizations relying on these routers for branch office or remote site connectivity, such outages can cascade into broader business disruption. The ease of exploitation increases the likelihood of opportunistic attacks at scale.

Affected systems

This vulnerability affects Tenda G0 firmware version 15.11.0.5. Organizations should inventory Tenda G0 devices and determine their current firmware versions. The vulnerability description does not enumerate all affected firmware versions; users of other G0 versions should consult Tenda's official security advisories to determine whether they are in scope.

Exploitability

This vulnerability is readily exploitable. It requires only network access, no authentication, and no user interaction. An attacker can craft a malicious HTTP request targeting the vulnerable Saveqqlist function and send it to any exposed Tenda G0 device. The low attack complexity and lack of privilege or interaction requirements make this attractive for automated scanning and opportunistic exploitation. However, the vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been widely documented at this time.

Remediation

Apply the latest firmware update from Tenda that patches the buffer overflow in the Saveqqlist function. Verify the patched version against Tenda's official security advisory to confirm the fix is included. As an interim measure, restrict HTTP access to the device's management interface using firewall rules, network segmentation, or access control lists to limit exposure to potential attackers.

Patch guidance

Check Tenda's official support website and security advisories for firmware updates addressing CVE-2026-36805. Firmware updates for Tenda G0 devices are typically deployed through the device's web interface (Settings > Firmware Upgrade) or via a downloadable image from Tenda's support portal. Before applying any update, back up your device configuration. Test updates in a non-production environment if feasible. Document the pre-patch and post-patch firmware versions for compliance and change management records.

Detection guidance

Monitor for HTTP POST/GET requests to the Tenda G0 device containing suspicious parameters named 'qqStr' or 'markStr' with unusually long payloads or binary data. Check device logs for unexpected reboots or process crashes coinciding with HTTP requests. Network-based detection can identify scanning patterns targeting Tenda G0 devices on standard HTTP ports. Intrusion detection systems may flag attempts to overflow stack buffers via web parameters. Device uptime monitoring can alert to unexpected restarts caused by DoS attacks.

Why prioritize this

Although this vulnerability is not yet on the CISA KEV catalog, it warrants high priority due to its accessibility (network-based, no authentication), high availability impact, and the prevalence of Tenda G0 routers in distributed network architectures. The unauthenticated DoS vector poses immediate operational risk. Organizations with Tenda G0 devices in production should prioritize patching within 30 days to reduce exposure before the vulnerability becomes more widely known or exploited.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects high attack accessibility combined with full availability impact. The vulnerability lacks integrity or confidentiality impact (no data exfiltration or modification), but the ability to remotely crash network equipment without authentication justifies the elevated score. The score does not account for real-world factors such as device prevalence or attacker motivation, which may elevate or lower risk depending on your environment.

Frequently asked questions

Does this vulnerability allow attackers to gain remote code execution or steal data?

No. This vulnerability causes a denial of service through a buffer overflow that crashes the device. It does not enable code execution, privilege escalation, or data exfiltration. The impact is limited to availability.

Can this vulnerability be exploited if the device's HTTP interface is not exposed to the internet?

The vulnerability requires network-accessible HTTP access to the Tenda G0 device. If the device is behind a firewall or not directly exposed to the internet, the attack surface is reduced. However, if an attacker has internal network access or if the device is misconfigured with open ports, they can exploit the vulnerability from within the network.

Should I disable the Tenda G0 device until a patch is available?

Disabling the device is not necessary if you implement network controls. Restrict HTTP access to the device using firewall rules or access control lists to allow only trusted administrators. This mitigates the vulnerability until a patch is deployed. Monitor the device for unexpected reboots as a sign of exploitation attempts.

What firmware version should I upgrade to?

Consult Tenda's official security advisory and product support page for the patched firmware version. The current vulnerable version is 15.11.0.5. Tenda will publish a specific patched version number in their advisory; do not rely on version numbers from unofficial sources.

This analysis is provided for informational purposes based on publicly available vulnerability data. Actual patch versions, release dates, and affected firmware ranges should be verified directly with Tenda's official security advisories and vendor notifications. SEC.co does not provide guarantees regarding the completeness or accuracy of vulnerability data. Organizations should conduct their own risk assessment and testing before deploying patches or security changes in production environments. This vulnerability analysis does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).