CVE-2026-36817 Overview
CVE-2026-36817 is a buffer overflow vulnerability in the Shenzhen Tenda Technology Tenda W15E router running firmware version v15.11.0.10. The flaw resides in the webAuthWhiteUserInfo parameter processed by the formAddWebAuthWhiteUser function. Remote attackers can trigger a denial-of-service (DoS) condition by sending a crafted HTTP request to the affected endpoint. The vulnerability is categorized under [CWE-120] Classic Buffer Overflow. No authentication or user interaction is required to exploit this issue.
Critical Impact
Unauthenticated remote attackers can crash the Tenda W15E router over the network using a single malformed HTTP request, disrupting connectivity for all downstream users.
Affected Products
- Shenzhen Tenda Technology Co., Ltd. Tenda W15E router
- Firmware version v15.11.0.10
- formAddWebAuthWhiteUser web management handler
Discovery Timeline
- 2026-06-09 - CVE-2026-36817 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-36817
Vulnerability Analysis
The vulnerability exists in the formAddWebAuthWhiteUser function inside the Tenda W15E web management interface. This function processes the webAuthWhiteUserInfo HTTP parameter when an administrator adds an authentication whitelist entry. The handler copies attacker-controlled input into a fixed-size stack buffer without validating the length of the supplied data. Sending an oversized value overruns the destination buffer and corrupts adjacent stack memory. The resulting memory corruption forces the httpd process to terminate, producing a denial-of-service condition that disrupts network management and routing services.
The Exploit Prediction Scoring System (EPSS) places this vulnerability in the 48.99 percentile as of 2026-06-11, indicating moderate exploitation likelihood among published CVEs.
Root Cause
The root cause is the absence of bounds checking on the webAuthWhiteUserInfo parameter prior to copying it into a stack-allocated buffer. The formAddWebAuthWhiteUser function trusts the length of the HTTP-supplied value and uses an unsafe string copy operation. This pattern is common across embedded device firmware where developers rely on strcpy or sprintf rather than length-bounded alternatives.
Attack Vector
An attacker reachable over the network sends a crafted HTTP POST request to the router's web administration endpoint. The request body or query string contains an oversized webAuthWhiteUserInfo value. Because the attack requires no privileges and no user interaction, any network-adjacent attacker with access to the management interface can trigger the crash. Repeated exploitation produces a sustained DoS against the device.
No verified proof-of-concept code is reproduced here. Technical artifacts are available in the GitHub PoC Repository.
Detection Methods for CVE-2026-36817
Indicators of Compromise
- Unexpected reboots or httpd process crashes on Tenda W15E devices running firmware v15.11.0.10.
- HTTP requests targeting formAddWebAuthWhiteUser with abnormally long webAuthWhiteUserInfo values.
- Loss of management plane availability while the data plane remains intermittently reachable.
Detection Strategies
- Inspect HTTP traffic destined for the router management interface for requests containing webAuthWhiteUserInfo parameters exceeding expected length thresholds.
- Correlate router watchdog reboots and httpd restarts with inbound HTTP POST activity to identify exploitation attempts.
- Deploy network IDS signatures that match URI paths invoking formAddWebAuthWhiteUser paired with oversized parameter payloads.
Monitoring Recommendations
- Forward router syslog and crash telemetry to a centralized log platform for correlation with network flow data.
- Alert on repeated HTTP 5xx responses or connection resets from the router management interface within short time windows.
- Track device uptime metrics and flag anomalous restarts of internet-facing Tenda W15E units.
How to Mitigate CVE-2026-36817
Immediate Actions Required
- Restrict access to the Tenda W15E web management interface to trusted management VLANs or jump hosts only.
- Disable remote WAN-side administration if it is enabled on affected devices.
- Apply network ACLs to block untrusted sources from reaching TCP/80 and TCP/443 on the router.
Patch Information
No vendor patch is referenced in the NVD entry for CVE-2026-36817 at the time of publication. Operators should monitor Shenzhen Tenda Technology security advisories for firmware updates that supersede v15.11.0.10. Until a fixed firmware release is available, compensating controls must remain in place.
Workarounds
- Place the router management interface behind a firewall that filters HTTP requests to formAddWebAuthWhiteUser.
- Replace affected Tenda W15E devices with supported hardware if a vendor patch remains unavailable.
- Implement upstream rate limiting and request size restrictions on HTTP traffic to the device.
# Example iptables rule to restrict management access to a trusted subnet
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
