Executive Summary

The CVE-2026-36792 vulnerability affects the Tenda W3 Wireless Router firmware version V1.0.0.3(2204). It is a buffer overread issue in the formWifiRadioSet CGI handler. The vulnerability occurs when the router processes user-controlled parameters, specifically wl_radio and hidden_country, which are retrieved via the websGetVar function.

Inside the vulnerable function, the wl_radio parameter is converted to an integer using atoi. An attacker can manipulate this parameter to a very large value (for example, 0x7fffffff), which is then used as an index to access a buffer. This leads to a buffer overread condition.

As a result, the router may crash or reboot unexpectedly, causing a Denial of Service (DoS).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) on the affected Tenda W3 Wireless Router. An attacker can send a specially crafted HTTP request that triggers the buffer overread, causing the router to crash or reboot.

The impact is that network connectivity provided by the router will be interrupted, potentially causing downtime for users relying on the device for internet access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual crashes or reboots of the Tenda W3 Wireless Router running firmware version V1.0.0.3(2204). Since the issue is triggered by a crafted HTTP request to the formWifiRadioSet CGI handler with manipulated wl_radio parameters, detection can involve inspecting HTTP requests targeting the formWifiRadioSet endpoint.

You can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to filter HTTP requests to the router's IP address and look for requests containing the formWifiRadioSet parameter with suspiciously large or malformed wl_radio values.

• Example tcpdump command to capture HTTP requests to the router: tcpdump -i <interface> host <router_ip> and tcp port 80 -w capture.pcap
• Use Wireshark to open capture.pcap and filter HTTP requests containing 'formWifiRadioSet' and inspect the wl_radio parameter values.

Additionally, monitoring router logs for unexpected crashes or reboots can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, avoid exposing the formWifiRadioSet CGI handler to untrusted networks or users, as the vulnerability is triggered via crafted HTTP requests to this endpoint.

Restrict access to the router's management interface by implementing network-level controls such as firewall rules or access control lists to limit who can send HTTP requests to the router.

Monitor for and block suspicious HTTP requests containing abnormal or large wl_radio parameter values.

Check with the vendor (Shenzhen Tenda Technology Co., Ltd) for firmware updates or patches that address this stack overflow vulnerability and apply them as soon as they become available.

If possible, consider temporarily disabling remote management features until a patch is applied.

Useful 0 Not Useful 0