HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-36802Published Modified CNA mitre

CVE-2026-36802: Shenzhen Tenda Technology Co

Shenzhen Tenda Technology Co., Ltd Tenda PW201A v1.0.5 was discovered to contain a buffer overflow in the page parameter of the SafeMacFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in the Tenda PW201A wireless access point (firmware v1.0.5) allows an unauthenticated attacker to crash the device by sending a crafted HTTP request to the SafeMacFilter function's page parameter. The vulnerability is reachable over the network with no authentication or user interaction required. Successful exploitation causes a denial of service, taking the affected device offline. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-36802 is available across every HarborGuard environment, with the CVE ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including internally built images that bundle this firmware or related components.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to route findings to the appropriate team inbox automatically.

Available
Patch

No fix version has been published for CVE-2026-36802. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available to affected environments the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the device's HTTP service over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No account or session credential is needed to send the malicious HTTP request.

  • Victim interactionNot required

    The attack is fully remote and requires no action from any user on the affected device.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors must be satisfied.

Blast Radius

  • Crashes the Tenda PW201A access point process, rendering the device unresponsive and dropping all associated wireless clients.
  • No confidentiality loss is indicated; stored credentials, configurations, and user data are not exposed by this exploit path.
  • No integrity impact is indicated; persisted configuration and routing tables are not modified by the attack.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no manual steps required from customers. Because no upstream fix exists yet, the recommended interim approach is to apply network-policy controls that restrict HTTP management-plane access to the Tenda PW201A to trusted internal subnets only, and to enable egress filtering that prevents untrusted hosts from reaching the device's web interface. HarborGuard re-evaluates the advisory on every ingest cycle; for customers with auto-remediation enabled, a patched rebuild, regression test run, and PR against affected workloads will be generated automatically as soon as Tenda publishes a corrected firmware version.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References