CVE-2026-36823: Tenda W20E Buffer Overflow Denial of Service Vulnerability
Tenda W20E routers running firmware version 15.11.0.6 contain a buffer overflow vulnerability in a web authentication function. An attacker can send a specially crafted HTTP request to crash the router, rendering it unavailable. The vulnerability requires no authentication and can be triggered remotely, making it a straightforward denial-of-service risk for affected deployments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36823 is a stack-based buffer overflow (CWE-121) in the formAddWebAuthUser function of Tenda W20E v15.11.0.6. The webAuthUserInfo parameter fails to validate input length before copying data into a fixed-size buffer. An attacker can construct an HTTP request with an oversized webAuthUserInfo value to overwrite stack memory, triggering a crash and service denial. The attack is network-accessible, requires no credentials, and has no user interaction requirement. While the CVSS vector indicates no confidentiality or integrity impact, the stack corruption could theoretically enable code execution depending on memory layout and compiler specifics—however, the disclosed impact is limited to availability.
Business impact
Affected routers will become unavailable during and after the attack, disrupting network connectivity for all users relying on the device. For small office or home office environments, this can cause significant downtime. For managed service providers or enterprises with these devices in their infrastructure, a coordinated attack could affect multiple customer sites simultaneously. Recovery requires manual intervention (reboot), and repeated attacks could create operational burden and potential SLA violations.
Affected systems
The vulnerability affects Tenda W20E routers running firmware version 15.11.0.6. Verify your installed firmware version via the router's administration interface or check device labels. The W20E is a cost-effective dual-band router commonly deployed in SMB and residential networks. Tenda has not publicly disclosed whether earlier or later firmware versions are affected; check Tenda's security advisory for the complete scope and patch availability.
Exploitability
This vulnerability is highly exploitable. No authentication, special privileges, or user interaction is required—any attacker on the network or internet can trigger it by sending a single malformed HTTP request to the router's web interface (typically port 80 or 8080). Exploit development is straightforward for someone with basic HTTP fuzzing knowledge. The lack of authentication and simple trigger mechanism mean this vulnerability poses an immediate risk and should be treated as remotely exploitable without prerequisites.
Remediation
Firmware update is the primary remediation. Contact Tenda or check their support portal for a patched firmware version addressing CVE-2026-36823. In the interim, restrict access to the router's web interface using firewall rules—block HTTP/HTTPS traffic to the router from untrusted networks, and allow access only from trusted administrative sources. If the device supports it, disable remote management features that expose the web interface to the internet.
Patch guidance
Check Tenda's official security advisory and firmware download page for a patched version of W20E firmware. Download the correct file for your hardware revision and follow Tenda's documented upgrade procedure (usually via the router's web admin panel). Test the patch in a non-production environment if possible. After upgrading, verify the new firmware version and confirm the router remains accessible to authorized users. Document the patch date for compliance records.
Detection guidance
Monitor your network for HTTP requests to the router's web interface containing unusually long or malformed webAuthUserInfo parameter values. Watch for sudden restarts or loss of connectivity to W20E devices, which may indicate a crash. Enable logging on the router if available. Implement network intrusion detection signatures that flag oversized parameters in formAddWebAuthUser requests. Check router uptime and log files for unexpected resets correlated with external traffic spikes.
Why prioritize this
This vulnerability merits immediate attention due to its combination of high CVSS score (7.5), unauthenticated remote exploitability, and straightforward attack mechanism. Although impact is limited to denial of service rather than data breach, the ease of exploitation and broad network access requirements mean attackers can disrupt operations at scale with minimal effort. Organizations should prioritize patching within the same business cycle or accelerate if these routers are internet-exposed or in critical network paths.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible, unauthenticated, low-complexity attack (AV:N/AC:L/PR:N/UI:N) with complete availability impact (A:H) but no confidentiality or integrity compromise. This is appropriate for a remotely triggerable denial-of-service flaw with no prerequisites. The absence from the CISA Known Exploited Vulnerabilities (KEV) catalog does not imply lower risk—it indicates the vulnerability has not yet been observed in active, widespread exploitation, but given its simplicity and network exposure, it should be monitored closely.
Frequently asked questions
Can this vulnerability affect my network if my Tenda W20E is not directly connected to the internet?
Yes. If the router is on a network segment accessible to any untrusted user (including internal compromised devices or guest networks), an attacker can send a crafted HTTP request to crash it. The term 'remote' in the vulnerability description means network-accessible, not necessarily internet-facing.
Does the patch require downtime or will it cause configuration loss?
Firmware updates typically require a device reboot, which will brief interrupt connectivity. Reputable vendors preserve configuration during updates, but always back up your router settings before upgrading. Test the upgrade procedure on a spare device if available.
Is this vulnerability being actively exploited in the wild?
As of the publication date, the vulnerability has not been added to CISA's Known Exploited Vulnerabilities list, suggesting no widespread active exploitation has been publicly confirmed. However, the simplicity of the attack means opportunistic exploitation is possible—prompt patching is still essential.
What if Tenda does not release a patch for my firmware version?
If your firmware version reaches end-of-life without a patch, apply the most recent available firmware version if there is a compatible upgrade path. As a compensating control, strictly limit access to the router's web interface via firewall rules and disable remote management. Plan to replace the device if no patched firmware is available and the device remains in a security-critical position.
This analysis is provided for informational purposes to aid security decision-making. The information herein is based on the CVE description and CVSS assessment published as of the modification date. Actual patch availability, scope of affected firmware versions, and vendor guidance may differ; consult Tenda's official security advisory and product documentation before deploying changes. SEC.co does not provide legal or compliance advice. Organizations should validate findings in their own environments and coordinate patching with their change management processes. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2025-52292HIGHGPAC MP4Box Stack Buffer Overflow Denial of Service
- CVE-2025-66280HIGHQNAP Integer Overflow Vulnerability: Patch & Risk Assessment
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi