CVE-2026-36779 Overview
CVE-2026-36779 affects the Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router running firmware version v1.0.0.5(4180). The device contains multiple stack overflow vulnerabilities in the fromVirtualSer function. The flaws affect the puVar2, puVar1, __s2, __s1_00, and puVar3 parameters. A remote, unauthenticated attacker can trigger the condition by sending a crafted HTTP request to the router. Successful exploitation results in a Denial of Service (DoS) against the affected device. The weakness is classified under [CWE-121: Stack-based Buffer Overflow].
Critical Impact
Unauthenticated remote attackers can crash the Tenda O3 router over the network, disrupting wireless connectivity for all downstream clients.
Affected Products
- Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router
- Firmware version v1.0.0.5(4180)
- fromVirtualSer HTTP handler component
Discovery Timeline
- 2026-06-09 - CVE-2026-36779 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-36779
Vulnerability Analysis
The Tenda O3 web management interface exposes the fromVirtualSer handler, which processes virtual server configuration requests over HTTP. The handler copies user-controlled values from request parameters into fixed-size stack buffers without enforcing length boundaries. Five distinct copy operations associated with the variables puVar2, puVar1, __s2, __s1_00, and puVar3 are affected.
An attacker who sends an HTTP request containing oversized values for the corresponding fields overruns the destination stack buffers. The overrun corrupts adjacent stack data, including the saved return address, causing the HTTP daemon to crash. The router then becomes unresponsive on its management and routing services until it is power-cycled or restarted.
The attack requires no authentication, no user interaction, and only network access to the device. Embedded routers commonly expose their web interface on the local network and, in some deployments, the wide area network, broadening the attack surface.
Root Cause
The root cause is missing input validation on parameter length before invoking string copy operations on stack-allocated buffers. The fromVirtualSer function trusts attacker-supplied parameter sizes, allowing writes beyond the buffer boundaries [CWE-121].
Attack Vector
The vector is network-based. An attacker crafts an HTTP POST or GET request to the router's web management endpoint that invokes fromVirtualSer with overlong parameter values. Delivery requires reachability to the router's HTTP service. Public technical details and proof-of-concept artifacts are published at the GitHub PoC Repository. No verified exploit code is reproduced here.
Detection Methods for CVE-2026-36779
Indicators of Compromise
- Unexpected reboots or unresponsive states of the Tenda O3 router, particularly following inbound HTTP traffic to the management interface.
- HTTP requests containing unusually long parameter values targeting the virtual server configuration endpoint handled by fromVirtualSer.
- Loss of wireless or routing services on the affected device without corresponding administrative action.
Detection Strategies
- Inspect network traffic for HTTP requests to the router that contain abnormally long values in virtual server configuration fields.
- Correlate router availability monitoring data with inbound HTTP traffic captures to identify crash-inducing request patterns.
- Enable syslog forwarding from the router, where supported, and alert on web daemon termination or restart events.
Monitoring Recommendations
- Continuously monitor router uptime and management-plane reachability using ICMP and HTTP probes.
- Capture and review web-management traffic at the network perimeter for malformed requests targeting the affected endpoint.
- Track repeated administrative interface access from untrusted source addresses.
How to Mitigate CVE-2026-36779
Immediate Actions Required
- Restrict access to the Tenda O3 web management interface to trusted administrative hosts only.
- Disable remote (WAN-side) management on the router until a vendor patch is applied.
- Segment the router's management VLAN from general-purpose user and guest networks.
- Monitor for the latest firmware release from Shenzhen Tenda Technology that supersedes v1.0.0.5(4180).
Patch Information
No vendor advisory or fixed firmware version is referenced in the NVD entry for CVE-2026-36779 at the time of publication. Administrators should monitor the Tenda support site for an updated firmware release that supersedes v1.0.0.5(4180) and remediates the fromVirtualSer stack overflow.
Workarounds
- Place the Tenda O3 behind an upstream firewall and block inbound HTTP and HTTPS traffic to its management interface from untrusted networks.
- Apply Access Control Lists (ACLs) that permit web management traffic only from a defined administrative subnet.
- Disable any port-forwarding or virtual server features that expose the router's HTTP daemon to the internet.
- Replace the device with a supported alternative if no vendor patch becomes available.
# Configuration example: block external access to router HTTP management
# Example using iptables on an upstream Linux gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 \
-m iprange ! --src-range 10.0.0.10-10.0.0.20 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 \
-m iprange ! --src-range 10.0.0.10-10.0.0.20 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
