CVE-2026-36817: Tenda W15E Buffer Overflow DoS Vulnerability
A vulnerability in Tenda W15E wireless routers (version 15.11.0.10) allows remote attackers to crash the device by sending a specially crafted web request. The flaw exists in the router's authentication whitelist function and requires no special privileges or user interaction to exploit. An attacker can cause denial of service from the network without authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36817 is a classic buffer overflow (CWE-120) in the formAddWebAuthWhiteUser function of Tenda W15E firmware v15.11.0.10. The vulnerability is triggered via the webAuthWhiteUserInfo parameter in HTTP requests to the web interface. The flaw permits unauthenticated remote exploitation with network-level access, resulting in denial of service through memory corruption and process termination. The CVSS 3.1 score of 7.5 (HIGH) reflects network exploitability with no authentication requirement, though impact is limited to availability.
Business impact
Organizations deploying Tenda W15E routers face risk of network disruption through denial of service attacks. An attacker can remotely crash the device without credentials, forcing manual restart and potential extended downtime for network operations dependent on that access point. This is particularly concerning in SMB or branch office environments where device recovery may not be immediate, affecting business continuity and employee connectivity.
Affected systems
Tenda W15E wireless router firmware version 15.11.0.10 is confirmed vulnerable. Verify against Tenda's official security advisories whether other firmware versions or related Tenda models are affected; the vendor has not provided a comprehensive product scope in available disclosures. Organizations should inventory W15E deployments in production networks and check for available firmware patches.
Exploitability
Exploitation is straightforward and reliable. No authentication is required, no user interaction is needed, and an attacker needs only network access to the device's web interface (typically port 80 or 443). The attack is repeatable and requires only a basic HTTP POST request with a malformed webAuthWhiteUserInfo parameter. The attack surface is broad in any environment where the router is reachable over the network.
Remediation
The primary remediation is to apply a patched firmware version from Tenda. Check Tenda's official security advisory and support portal for version updates addressing CVE-2026-36817. As an interim measure, restrict network access to the router's web management interface using firewall rules or access control lists—limiting HTTP/HTTPS access to trusted administrator networks only will reduce immediate risk until patching is completed.
Patch guidance
Verify the latest available firmware version for Tenda W15E directly from Tenda's official website or support channels. Apply patches in a controlled maintenance window after testing in a non-production environment if possible. Because this vulnerability affects the router's core functionality, ensure you have a recovery plan and documented configuration before upgrading. Confirm patch application by verifying the installed firmware version in the router's web interface or CLI.
Detection guidance
Monitor for HTTP requests containing suspicious or oversized webAuthWhiteUserInfo parameters sent to the router's web interface. Watch for unexpected router restarts or loss of connectivity that correlates with external network activity. Implement network-based intrusion detection signatures for buffer overflow patterns targeting this function if your security infrastructure supports custom rules. Log all access to the router's management interface and review for anomalous requests post-incident.
Why prioritize this
This vulnerability rates HIGH priority due to network accessibility, lack of authentication requirement, and simplicity of exploitation. While impact is limited to denial of service (not confidentiality or integrity compromise), the ease of attack and broad attack surface in network-connected deployments warrant prompt patching. Organizations should schedule remediation within 2-4 weeks depending on business criticality of affected devices.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a HIGH-severity network-accessible vulnerability requiring no authentication or user interaction. The denial-of-service impact directly affects system availability. The score does not increase to Critical because confidentiality and integrity are not compromised—the attacker can only crash the device, not extract data or modify configurations. However, in environments where network uptime is critical, business risk may exceed the base CVSS score.
Frequently asked questions
Does this vulnerability allow an attacker to gain administrative control of the router?
No. This is a denial-of-service vulnerability only. It allows an attacker to crash the device, but not to gain access to configurations, user data, or perform lateral network movement. The attacker cannot extract credentials or modify router settings.
Can I be exploited if my router is not directly connected to the Internet?
Yes. If the router is reachable from any untrusted network segment—including an internal corporate network, guest network, or compromised workstation—exploitation is possible. Network accessibility is the only requirement; the attacker does not need direct Internet access to the device.
What should I do if I cannot apply the patch immediately?
Restrict access to the router's web management interface via firewall rules, limiting connections to specific trusted administrator IP addresses or subnets. Disable remote management if it is enabled. Implement network segmentation so the router is only reachable from authorized devices. These controls reduce but do not eliminate risk—apply patches as soon as feasible.
How can I tell if my router was already attacked?
Check the router's system logs (if available via CLI or web interface) for error messages or unexpected restarts. Firmware versions before patching will show signs of crashes or brief connectivity loss during an attack. Some routers maintain event logs—review those for anomalies. If you suspect exploitation, reboot the device and apply patches immediately.
This analysis is based on publicly disclosed vulnerability information as of June 2026. CVSS scores and severity ratings reflect standardized metrics but may not fully capture business impact in your specific environment. Patch versions, vendor advisories, and availability windows are subject to change—always verify current status with Tenda's official security communications before making remediation decisions. This page provides technical context for security decision-making but does not constitute professional security advice or a substitute for your organization's internal risk assessment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution