CVE-2026-36809: Shenzhen Tenda Technology Co
Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A buffer overflow vulnerability exists in the Tenda W15E wireless gateway (firmware v15.11.0.10), specifically in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. The flaw is reachable over the network without any authentication, by sending a specially crafted HTTP request to the device. Successful exploitation crashes the affected service, causing a denial of service. No upstream fix has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-36809 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Tenda W15E firmware or related components.
AvailableTriage is available with the CVSS 3.1 score of 7.5 (HIGH) applied to each matched image; per-environment compliance policy weighting can escalate or adjust priority, and findings are routed to the appropriate team inbox within each customer organization.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, compensating-control recommendations are surfaced through the triage workflow.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable HTTP endpoint is exposed over the network, so an attacker must be able to reach the device across the network to send a crafted request.
- AuthenticationNot required
No credentials or prior account access are needed; the endpoint accepts unauthenticated HTTP requests.
- Victim interactionNot required
Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.
Blast Radius
- Crashes the affected Tenda W15E service process, taking down web-based management or authentication functions on the device.
- Causes a denial of service for any users or systems depending on the gateway for network access or authentication.
- No confidentiality or integrity impact is indicated; the attacker cannot read or modify data through this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: this CVE is matched against customer images on every scan cycle, covering any image that packages Tenda W15E firmware components. Because no upstream patch exists, HarborGuard monitors the advisory continuously and will surface a patched-image rebuild automatically once a fix version is published. While waiting for an upstream fix, customers can use HarborGuard compensating-control suggestions such as network-policy isolation (restricting inbound HTTP access to the management interface to trusted subnets only) and egress filtering to reduce the device's exposure surface. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR-opening flow will trigger automatically against affected workloads the moment an upstream fix becomes available.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H