How is CVE-2026-36818 exploited?

Network reachability (required): The vulnerable HTTP endpoint must be reachable over the network; an attacker sends a crafted HTTP request directly to the device without needing any prior foothold. Authentication (not-required): No credentials or account of any privilege level are needed to trigger the overflow. Victim interaction (not-required): The attack is fully automated and requires no action from any user or administrator on the target device. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply supplies an oversized value in the wewifiWhiteUserInfo parameter and the crash is deterministic.

What is the impact of CVE-2026-36818?

Crashes the Tenda W20E router process, dropping all network traffic routed through the device. Takes the affected device offline until it is manually rebooted or automatically restarts, causing a full service outage for connected clients. Enables repeated denial-of-service loops if the attacker continuously sends crafted requests after each restart.

Back to search

HIGHCVE-2026-36818Published 2026-06-09Modified 2026-06-10CNA mitre

CVE-2026-36818: Shenzhen Tenda Technology Co

Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo parameter of the formAddWewifiWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow in the Tenda W20E router firmware (version 15.11.0.6) allows an unauthenticated attacker to crash the device by sending a crafted HTTP request targeting the wewifiWhiteUserInfo parameter in the formAddWewifiWhiteUser function. The vulnerability is reachable over the network with no login required and no user interaction needed. Successful exploitation causes a Denial of Service, taking the affected router offline. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as upstream ships one.

HarborGuard Coverage

Detection

Detection for CVE-2026-36818 is available across all HarborGuard environments, with the CVE ingested from upstream feeds and matched against customer images within minutes of publication, including custom-built images that bundle Tenda W20E firmware or related packages. Any image in a connected registry or CI pipeline that carries the affected component is flagged automatically.

Available

Triage

HarborGuard is capable of surfacing this CVE with its CVSS v3.1 score of 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing ensures the finding reaches the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-36818, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable HTTP endpoint must be reachable over the network; an attacker sends a crafted HTTP request directly to the device without needing any prior foothold.
AuthenticationNot required
No credentials or account of any privilege level are needed to trigger the overflow.
Victim interactionNot required
The attack is fully automated and requires no action from any user or administrator on the target device.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply supplies an oversized value in the wewifiWhiteUserInfo parameter and the crash is deterministic.

Blast Radius

Crashes the Tenda W20E router process, dropping all network traffic routed through the device.
Takes the affected device offline until it is manually rebooted or automatically restarts, causing a full service outage for connected clients.
Enables repeated denial-of-service loops if the attacker continuously sends crafted requests after each restart.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all scanning environments the moment the advisory was ingested, covering both vendor-supplied and custom-built images containing the affected Tenda W20E firmware component. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as a fix version is published. For customers with auto-remediation enabled, that will immediately trigger a rebuild, a regression test run, and a PR opened against any affected workloads. In the meantime, compensating controls worth considering include network-policy isolation to restrict HTTP management-plane access to trusted source addresses only, egress filtering to limit exposure of the management interface to the public internet, and feature-flag or ACL gating on the formAddWewifiWhiteUser endpoint where the firmware permits it.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

github.com

Metrics

Get notified