CVE-2026-36808: Tenda W15E Buffer Overflow DoS Vulnerability
A buffer overflow vulnerability exists in Tenda W15E router firmware version 15.11.0.10. An attacker can send a specially crafted web request to the device's authentication function, causing it to crash and become unavailable. No authentication is required, and the attack works over the network, making it a straightforward denial-of-service threat to affected routers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36808 is a classic buffer overflow flaw (CWE-120) in the formAddWebAuthUser function's webAuthUserInfo parameter processing. The vulnerability resides in the web authentication module of Tenda W15E running firmware 15.11.0.10. An unauthenticated, network-based attacker can craft an HTTP request with an oversized or malformed webAuthUserInfo value, triggering a stack or heap overflow that crashes the device. The CVSS 3.1 vector (7.5 HIGH) reflects the availability impact: no privileges needed, low complexity, network-accessible, resulting in high confidentiality impact only in terms of denial of service.
Business impact
Affected routers become unavailable following an attack, disrupting network access for all connected users and devices. For small offices, retail locations, or homes relying on the W15E, this translates to complete internet outages. While the vulnerability does not enable data theft or unauthorized access, the availability loss can impair productivity and customer-facing services. Organizations relying on these devices for critical connectivity should prioritize remediation.
Affected systems
Tenda W15E firmware version 15.11.0.10 is confirmed vulnerable. Organizations should verify whether older or newer firmware versions in the W15E product line carry the same flaw; Tenda's security advisory should clarify the affected version range and whether other Tenda router models share this code path. Any deployment of W15E 15.11.0.10 in production environments is at risk.
Exploitability
Exploitability is straightforward: the vulnerability requires no authentication, no user interaction, and can be triggered via a simple HTTP request from any network-reachable position. An attacker needs only to identify a target running the vulnerable firmware and send a single crafted request. However, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the published date, meaning active exploitation in the wild has not been formally documented. Nonetheless, the low barrier to exploitation warrants immediate attention.
Remediation
Organizations should immediately apply the latest firmware update from Tenda that addresses CVE-2026-36808. Contact Tenda support or consult their security advisory for the patched firmware version number and deployment instructions. If a patch is not yet available, consider isolating affected W15E devices to trusted networks only, restricting web access via firewall rules, or temporarily disabling web authentication features if operational constraints permit. Firmware updates for router devices typically involve a brief reboot cycle.
Patch guidance
Visit the Tenda support portal or security advisory page specific to CVE-2026-36808 to obtain the patched firmware version. Verify the checksum or digital signature of the downloaded firmware file before installation. Schedule patching during a maintenance window to minimize service disruption. Test the update on a non-production device first if possible. Document the current and new firmware versions for compliance and audit purposes. Note: specific patch version numbers and availability dates should be confirmed against the official Tenda advisory.
Detection guidance
Monitor network traffic for HTTP requests to the vulnerable router's web interface with unusually large or malformed webAuthUserInfo parameter values. Log unexpected device reboots or authentication service failures on W15E devices. Implement network segmentation to limit direct web access to routers only from trusted administrative hosts. Check firmware versions across all deployed W15E units to identify vulnerable instances. Configure SNMP or syslog monitoring to alert on device restarts or state changes that might indicate exploitation attempts.
Why prioritize this
Despite a CVSS score of 7.5 (HIGH) and lack of KEV status, this vulnerability merits urgent priority because: (1) the attack surface is the router's public-facing web interface, accessible to any network attacker; (2) exploitation is trivial—no special tools or credentials needed; (3) affected organizations rely on routers for critical network availability, and denial of service directly impacts operations; (4) the device is typically rebooted manually, delaying recovery. Rapid patching prevents easily preventable outages.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a high-severity availability impact: network-accessible (AV:N), no privileges or user interaction required (PR:N, UI:N), and complete denial of service to the device (A:H). The vector correctly assigns zero impact to confidentiality and integrity, as the flaw does not leak data or enable unauthorized access. The score appropriately emphasizes the operational risk posed by undefended denial of service on network infrastructure.
Frequently asked questions
Is my Tenda W15E definitely vulnerable if I own one?
Only if it is running firmware version 15.11.0.10 specifically. Check your device's firmware version in the administration panel. If you are running a different version, consult Tenda's security advisory to confirm whether your firmware is affected. Organizations should audit all W15E deployments immediately.
Can an attacker steal my Wi-Fi password or intercept traffic with this vulnerability?
No. This vulnerability causes denial of service only—it crashes the router but does not enable data theft, password extraction, or traffic interception. However, the attack does make the router unavailable, which disrupts all connected users and devices.
What should I do if Tenda has not yet released a patch?
Restrict network access to the router's web interface using firewall rules, limiting administrative access to known IP addresses only. If possible, disable web-based authentication if you do not rely on it, or isolate the device to a trusted internal network segment. Monitor for unexpected reboots. Prioritize applying a patch as soon as Tenda releases one.
Do I need special tools or network access to exploit this?
No. An attacker only needs to send an HTTP request with a crafted parameter to the router's web server. The attack can be performed from any network that can reach the router, using basic tools like curl or a web browser. This low barrier to exploitation is why rapid patching is critical.
This analysis is based on publicly available vulnerability data as of June 2026. Specific patch version numbers, availability dates, and affected firmware ranges should be verified against the official Tenda security advisory. Organizations are responsible for validating their own environment and confirming patch applicability. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Always consult vendor advisories and test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution