CVE-2026-36821: Tenda W20E Buffer Overflow DoS Vulnerability (CVSS 7.5)
Tenda W20E routers running firmware version 15.11.0.6 contain a buffer overflow flaw in the image cropping function. An unauthenticated attacker can send a specially crafted web request to crash the device, rendering it temporarily unavailable. No authentication is required, and the attack can be launched from the network without user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36821 is a stack-based buffer overflow (CWE-121) in the formCropAndSetWewifiPic function within Tenda W20E firmware v15.11.0.6. The vulnerability exists in improper validation of the picCropName HTTP parameter, which fails to enforce adequate bounds checking before writing to a fixed-size buffer. This memory corruption results in denial of service when the overflow is triggered, causing the affected process to crash or the device to become unstable.
Business impact
Organizations relying on Tenda W20E routers for network access face intermittent connectivity loss if the vulnerability is exploited. Repeated attacks could create operational disruption, particularly in environments where these devices serve as primary or secondary network gateways. While confidentiality and integrity are not compromised, availability impact could affect remote work capabilities, branch office connectivity, or managed service delivery.
Affected systems
Tenda W20E firmware version 15.11.0.6 is confirmed vulnerable. Organizations should verify whether this specific firmware version is deployed in their router fleet. Tenda has not publicly released a comprehensive list of all affected versions, so interim mitigation and monitoring are prudent for any W20E deployment pending vendor guidance.
Exploitability
This vulnerability has a low barrier to exploitation. The attack requires only network access and a properly crafted HTTP request—no authentication, no user interaction, and no special client software. The simplicity of the attack vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N) means that exploitation can occur at scale if routers are exposed to untrusted networks or connected to the internet without proper access controls.
Remediation
Verify the firmware version on affected Tenda W20E devices and apply any available patches from Tenda. If no patch is available, segment W20E routers from untrusted networks, restrict HTTP access via firewall rules, and disable remote management interfaces. Consider replacing the device with a model from a vendor with more frequent security updates if the risk profile is high.
Patch guidance
Contact Tenda directly or check their support portal for updated firmware releases addressing CVE-2026-36821. Document the current firmware version (v15.11.0.6) on affected devices to track remediation progress. Verify patch availability before rolling out updates in production; test in a non-critical environment first to ensure stability. Until patches are deployed, prioritize devices in critical network positions for mitigation.
Detection guidance
Monitor for HTTP requests with unusually long or malformed picCropName parameter values sent to the formCropAndSetWewifiPic endpoint on Tenda W20E routers. Watch for unexpected device restarts or loss of connectivity from these devices. Implement network-level filtering to block overly long parameter strings. Enable verbose logging on affected routers if supported, and correlate logs with DoS events.
Why prioritize this
With a CVSS score of 7.5 (HIGH) and an unauthenticated, network-accessible attack vector, this vulnerability poses a credible denial-of-service risk to organizations operating Tenda W20E routers. The ease of exploitation and lack of authentication requirements warrant prompt inventory and mitigation planning, particularly for routers exposed to the internet or untrusted networks.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects high severity due to the complete denial of service impact (A:H), combined with a network-based, low-complexity attack requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N). The score does not increase to critical because the impact is limited to availability; no confidentiality or integrity breach occurs. Organizations with internet-facing W20E routers should treat this as a near-term remediation priority.
Frequently asked questions
Does this vulnerability affect all Tenda W20E models?
Only Tenda W20E firmware version 15.11.0.6 is confirmed vulnerable. Other firmware versions may or may not be affected. Check your device firmware version in the admin interface and compare against vendor advisories to determine your risk status.
Can an attacker read or modify data on the router or connected devices?
No. This vulnerability causes only a denial of service by crashing the router process. It does not enable data theft, configuration tampering, or lateral movement to other devices.
What should I do if I don't have a patch yet?
Implement compensating controls: segment the W20E from the internet, disable remote management, restrict HTTP/HTTPS access via firewall rules, and monitor for suspicious HTTP requests. Keep an eye on Tenda's security advisories for patch releases.
How quickly should we prioritize this if we use Tenda W20E routers?
Prioritize inventory and risk assessment immediately. If routers are exposed to the internet or untrusted networks, treat remediation as urgent. If they are only accessible on trusted internal networks, remediation can be scheduled within your standard patch cycle, but do not deprioritize indefinitely.
This analysis is based on publicly available vulnerability data as of the publication date. Tenda may release updated advisories, patches, or affected product lists that supersede this assessment. Organizations should consult official Tenda security resources and conduct independent testing before deploying mitigations or patches. SEC.co does not guarantee the completeness or real-time accuracy of vulnerability intelligence and recommends cross-referencing official vendor sources for patch deployment decisions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2025-52292HIGHGPAC MP4Box Stack Buffer Overflow Denial of Service
- CVE-2025-66280HIGHQNAP Integer Overflow Vulnerability: Patch & Risk Assessment
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi