How is CVE-2026-36794 exploited?

Network reachability (required): The vulnerable HTTP endpoint is exposed over the network, so the attacker must be able to reach the router's web interface to send the crafted request. Authentication (not-required): No credentials are needed; the overflow is triggered through the login parameters before any authentication check completes. Victim interaction (not-required): The attack is fully automated and requires no action from any user on the targeted device. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply sends an oversized value in the username or password field of a crafted HTTP request.

What is the impact of CVE-2026-36794?

Crashes the router's web-facing process, rendering the device unresponsive and dropping all network connectivity for clients behind it. Repeated requests can sustain the outage, effectively bricking network access for the affected segment until the device is manually rebooted. No confidentiality or integrity impact is indicated; the attacker gains no data access or ability to modify configuration.

Back to search

HIGHCVE-2026-36794Published 2026-06-09Modified 2026-06-10CNA mitre

CVE-2026-36794: Shenzhen Tenda Technology Co

Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain multiple stack overflows in the R7WebsSecurityHandler function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stack-based buffer overflows in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allow an unauthenticated remote attacker to crash the device by sending a crafted HTTP request to the R7WebsSecurityHandler function via the username or password parameters. No authentication or victim interaction is needed; the attacker only needs network access to the router's web interface. Successful exploitation causes a denial of service, taking the device offline. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-36794 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle Tenda W3 firmware or related components.

Available

Triage

Triage is available with CVSS v3.1 scoring at 7.5 (HIGH), weighted against each customer environment's compliance policy to reflect actual exposure; findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released, at which point customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable HTTP endpoint is exposed over the network, so the attacker must be able to reach the router's web interface to send the crafted request.
AuthenticationNot required
No credentials are needed; the overflow is triggered through the login parameters before any authentication check completes.
Victim interactionNot required
The attack is fully automated and requires no action from any user on the targeted device.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply sends an oversized value in the username or password field of a crafted HTTP request.

Blast Radius

Crashes the router's web-facing process, rendering the device unresponsive and dropping all network connectivity for clients behind it.
Repeated requests can sustain the outage, effectively bricking network access for the affected segment until the device is manually rebooted.
No confidentiality or integrity impact is indicated; the attacker gains no data access or ability to modify configuration.

How HarborGuard Handles This

Available on HarborGuard: monitoring of CVE-2026-36794 is active across every ingest cycle, with the advisory re-evaluated each time upstream sources are checked for patch availability. Because no fix version exists today, HarborGuard cannot yet produce a patched-image rebuild, but the rebuild will become available automatically the moment Tenda publishes a corrected firmware release. In the interim, compensating controls worth considering include network-policy rules that restrict access to the router's management HTTP port to trusted administrative hosts only, egress filtering to limit lateral reachability from the affected device, and disabling remote web-interface access if the feature is not operationally required. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix lands.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com

Metrics

Get notified