CVE-2026-36789: Shenzhen Tenda Technology Co
Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Multiple stack-based buffer overflows exist in the Tenda AC1206 router firmware (v15.03.06.23), specifically in the fromGstDhcpSetSer function, triggered through the username and password HTTP request parameters. The vulnerabilities are reachable over the network without any authentication or user interaction. Successful exploitation causes the device to crash, resulting in a denial of service. HarborGuard is tracking the advisory and will make a patched rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-36789 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image carrying the affected Tenda AC1206 firmware version will surface a finding automatically.
AvailableHarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and can weight that score against each customer environment's compliance policy to determine urgency and route the finding to the appropriate team inbox. Per-environment policy controls let customers escalate or suppress findings based on their own asset classifications.
AvailableNo fix version has been published by the vendor; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a patch becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable HTTP endpoint is exposed over the network, so an attacker must be able to reach the device's web interface to send the crafted request.
- AuthenticationNot required
No credentials are needed; the overflow is triggered through parameters processed before any authentication check.
- Victim interactionNot required
The attack is fully remote and automated; no user on the target device needs to take any action.
- Attack complexityDetail
Exploitation is straightforward and condition-free; an attacker only needs to send a crafted HTTP request with an oversized username or password parameter.
Blast Radius
- Crashes the affected Tenda AC1206 router process, taking the device offline and cutting network connectivity for all clients behind it.
- Repeated exploitation keeps the device in a crashed or reboot loop, sustaining the outage without further attacker effort.
- No confidentiality or integrity impact is indicated; the attacker gains no access to data and cannot modify stored configuration.
How HarborGuard Handles This
Available on HarborGuard: this CVE is tracked continuously against customer image inventories, with findings surfaced as soon as the CVE was published. Because no vendor patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix ships. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR flow will trigger automatically at that point. In the interim, compensating controls worth considering include network-policy rules that restrict access to the device management interface to trusted subnets only, egress filtering to limit exposure of the HTTP management port, and rate-limiting or firewall rules to block oversized HTTP payloads directed at the affected endpoint.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H