CVE-2026-36811 Overview
CVE-2026-36811 is a buffer overflow vulnerability in Shenzhen Tenda Technology Co., Ltd Tenda W15E router firmware version v15.11.0.10. The flaw resides in the formDelwebAuthPic function, which fails to validate the length of the picName parameter received from HTTP requests. Remote attackers can send a crafted HTTP request to overflow the buffer and trigger a Denial of Service (DoS) condition. The vulnerability is tracked under CWE-120: Buffer Copy without Checking Size of Input.
Critical Impact
Unauthenticated remote attackers can crash the Tenda W15E router over the network by sending a single malformed HTTP request, disrupting network availability for all connected users.
Affected Products
- Shenzhen Tenda Technology Co., Ltd Tenda W15E
- Firmware version v15.11.0.10
- Web management interface exposing the formDelwebAuthPic endpoint
Discovery Timeline
- 2026-06-09 - CVE-2026-36811 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-36811
Vulnerability Analysis
The vulnerability exists in the formDelwebAuthPic handler within the Tenda W15E HTTP management interface. This handler processes requests to delete web authentication picture resources and accepts a user-supplied picName parameter. The function copies the parameter value into a fixed-size stack buffer without verifying its length. A sufficiently long picName value overwrites adjacent stack memory, corrupts the return address, and crashes the httpd process responsible for the web interface and routing services.
The attack does not require authentication, user interaction, or local access. A single crafted HTTP POST request is enough to trigger the condition. Successful exploitation results in loss of availability for the device's web management and dependent network functions until the device reboots.
Root Cause
The root cause is the absence of bounds checking on the picName parameter before it is copied into a stack-allocated buffer. The handler trusts the length of attacker-controlled input from the HTTP request body, which is characteristic of [CWE-120] classic buffer overflows common in embedded SOHO router firmware written in C.
Attack Vector
The attack vector is network-based. An attacker with HTTP reachability to the router's management interface issues a crafted POST request to the endpoint backed by formDelwebAuthPic, supplying an oversized picName value. Public proof-of-concept material is available in the GitHub PoC Repository. The exploit produces a denial-of-service outcome, with no confirmed path to code execution disclosed in the advisory.
Detection Methods for CVE-2026-36811
Indicators of Compromise
- HTTP POST requests targeting the formDelwebAuthPic endpoint on the router's management interface.
- Unusually large picName parameter values in HTTP request bodies, exceeding typical filename lengths.
- Unexpected reboots, httpd crashes, or loss of management-plane availability on Tenda W15E devices.
Detection Strategies
- Inspect HTTP traffic destined for Tenda W15E management interfaces for requests containing the formDelwebAuthPic path with oversized parameter payloads.
- Apply network IDS signatures that flag POST requests with picName values exceeding a conservative length threshold (for example, 256 bytes).
- Correlate router reboot events and management-interface outages with preceding inbound HTTP requests from external or untrusted internal sources.
Monitoring Recommendations
- Centralize syslog from Tenda W15E devices and alert on repeated httpd restarts or watchdog-triggered reboots.
- Monitor WAN-side access attempts to the router's HTTP/HTTPS management ports and alert on any unauthorized exposure.
- Track availability of LAN gateway services using uptime probes to detect short-duration DoS events.
How to Mitigate CVE-2026-36811
Immediate Actions Required
- Restrict access to the Tenda W15E web management interface to trusted management VLANs and disable WAN-side administration.
- Place affected devices behind a firewall or reverse proxy that enforces request size limits on management endpoints.
- Audit device inventory for Tenda W15E units running firmware v15.11.0.10 and prioritize them for replacement or isolation if no vendor patch is available.
Patch Information
No vendor patch or security advisory from Shenzhen Tenda Technology is referenced in the NVD entry at the time of publication. Administrators should monitor the Tenda official support site for firmware updates addressing the formDelwebAuthPic handler. Until a fixed firmware version is released, compensating controls are required.
Workarounds
- Block external access to the router's HTTP management port using upstream firewall rules.
- Enforce ACLs that allow management access only from specific administrator IP addresses on the LAN.
- Consider replacing affected Tenda W15E units with supported hardware in environments where availability is critical and no patch is forthcoming.
# Example: restrict management interface access on an upstream firewall
# Drop inbound HTTP/HTTPS to the router management IP from untrusted networks
iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 80 -j DROP
iptables -A FORWARD -p tcp -d 192.0.2.1 --dport 443 -j DROP
# Allow management only from a trusted admin subnet
iptables -I FORWARD -p tcp -s 10.10.0.0/24 -d 192.0.2.1 --dport 80 -j ACCEPT
iptables -I FORWARD -p tcp -s 10.10.0.0/24 -d 192.0.2.1 --dport 443 -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
