Executive Summary

CVE-2026-36772 is a stack-based buffer overflow vulnerability in the Tenda W3 Wireless Router firmware version 1.0.0.3(2204). It occurs in the formwrlSSIDget CGI handler due to improper handling of the user-controlled parameters wl_radio and index.

Specifically, the index parameter is inserted into a fixed-size stack buffer using sprintf without validating its length. When an attacker sends a crafted HTTP request with wl_radio set to "0" and an excessively long index value, this causes a buffer overflow.

This overflow can lead to a Denial of Service (DoS) by crashing or rebooting the device, and potentially allows arbitrary code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) on the affected Tenda W3 Wireless Router, making the device crash or reboot unexpectedly.

Additionally, there is a potential risk of arbitrary code execution, which could allow an attacker to take control of the router or disrupt its normal operation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP request to the formwrlSSIDget CGI endpoint on the Tenda W3 Wireless Router firmware version 1.0.0.3(2204). Specifically, the request should include the parameter wl_radio set to "0" and an excessively long index value to test for the stack-based buffer overflow.

A detection command example using curl might be:

• curl -X GET "http://<router-ip>/formwrlSSIDget?wl_radio=0&index=$(python3 -c 'print("A"*500)')"

If the router crashes, reboots, or behaves abnormally after this request, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0