CVE-2026-36806: Shenzhen Tenda Technology Co
Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A stack-based buffer overflow exists in the Tenda W15E router firmware (v15.11.0.10), specifically in the webAuthUserPwd parameter of the formModifyWebAuthUser function. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation crashes the affected service, causing a denial of service. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection capability for CVE-2026-36806 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that incorporate affected Tenda W15E firmware components. Coverage applies to both registry scans and in-pipeline image checks at build time.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each customer environment's compliance policy to surface the right priority level. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.
AvailableNo fix version has been published upstream for CVE-2026-36806; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream vendor ships a fix. Customers with auto-remediation enabled will automatically receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable function is exposed over the network, meaning an attacker must be able to send HTTP requests to the device to trigger the overflow.
- AuthenticationNot required
No credentials are needed; an unauthenticated attacker can send the crafted request directly.
- Victim interactionNot required
No user action is required; the attacker triggers the crash entirely through their own HTTP request.
- Attack complexityDetail
Exploitation is reliable and condition-free, requiring only a crafted HTTP request with no race conditions or environmental factors to manage.
Blast Radius
- Crashes the web authentication service on the affected Tenda W15E device, making it unavailable.
- Forces a denial-of-service condition that disrupts any network authentication flows dependent on the device.
- No confidentiality or integrity impact is indicated; the attacker gains no read or write access to data.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored with no fix version currently published by the vendor. HarborGuard re-evaluates the advisory on every ingest cycle so that a patched-image rebuild becomes available automatically the moment Tenda publishes a fix. In the interim, compensating controls are worth considering: network-policy isolation to restrict HTTP access to the device management interface to trusted subnets only, egress filtering to limit exposure of the management plane, and feature-flag or ACL gating on the web authentication endpoint where the firmware permits it. For customers with auto-remediation enabled, once a fix version is published upstream, HarborGuard will trigger a rebuild, run regression tests, and open a PR against affected workloads without manual intervention.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H