CVE-2026-36821: Shenzhen Tenda Technology Co
Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A buffer overflow vulnerability in the Tenda W20E router firmware (v15.11.0.6) allows an unauthenticated remote attacker to crash the device by sending a crafted HTTP request containing an oversized value in the picCropName parameter of the formCropAndSetWewifiPic function. The vulnerability is reachable over the network and requires no credentials or user interaction to trigger. Successful exploitation causes a denial of service, taking the affected device offline. No fix version has been published; HarborGuard tracks the upstream advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-36821 is available across all HarborGuard environments, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Tenda W20E firmware components. Any image containing the affected firmware version is flagged automatically in both registry scans and CI/CD pipeline checks.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and can weight it further against each customer environment's compliance policy to surface it to the appropriate team inbox. Per-environment context, such as whether the affected image is deployed in an internet-facing workload, is factored into prioritization where policy rules are configured.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, customers with network-isolation policies configured can use HarborGuard's compensating-control suggestions to flag affected workloads for manual review or segmentation.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable HTTP endpoint is exposed over the network, so the attacker must be able to reach the device's web interface remotely.
- AuthenticationNot required
No credentials are needed; the vulnerable parameter is accessible without any authentication.
- Victim interactionNot required
The attacker sends a crafted HTTP request directly to the device; no user action on the victim's side is required.
- Attack complexityDetail
Exploitation is straightforward and condition-free, requiring only a single crafted HTTP request with no timing constraints or environmental dependencies.
Blast Radius
- Crashes the affected Tenda W20E device, making it unavailable and dropping all traffic routed through it.
- Network connectivity for any hosts relying on the device as a gateway or access point is severed until the device is manually rebooted.
- No confidentiality or data-integrity impact is present; the exploit effect is limited entirely to availability loss.
How HarborGuard Handles This
Available on HarborGuard: since no upstream patch exists for CVE-2026-36821, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published upstream. Until then, customers can apply compensating controls through HarborGuard's policy engine, including network-isolation rules that restrict access to the device's HTTP management interface, egress-filtering recommendations, and flagging of affected workloads for manual review. For environments with auto-remediation enabled, a rebuild and regression run will be triggered automatically and a PR opened against affected workloads as soon as a fix version becomes available.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H