CVE-2026-36809
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36809
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda tenda_w15e 15.11.0.10
tenda w15e 15.11.0.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-36809 vulnerability affects the Tenda W15E router, specifically in the formModifyWebAuthWhiteUser function. It is a buffer overflow issue caused by improper handling of the user-controlled HTTP parameter webAuthWhiteID.

An attacker can send a specially crafted HTTP request with a long webAuthWhiteID parameter along with certain other parameters set (webAuthWhiteUserType set to "mac", and webAuthWhiteUser and webAuthUserPwd not null) to trigger this buffer overflow.

This overflow occurs when the vulnerable code uses the webAuthWhiteID parameter in functions like printf and sprintf without proper bounds checking, leading to memory corruption.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) on the affected Tenda W15E router.

The buffer overflow can crash the process handling the web authentication white list or cause device instability, potentially disrupting network connectivity and router functionality.

Detection Guidance

This vulnerability can be detected by monitoring for crafted HTTP requests sent to the formModifyWebAuthWhiteUser CGI endpoint on the Tenda W15E router. Specifically, look for HTTP requests containing a long webAuthWhiteID parameter (e.g., "888*a" or longer) along with non-null parameters webAuthWhiteUserType, webAuthWhiteUser, and webAuthUserPwd, where webAuthWhiteUserType is set to "mac".

To detect such attempts, you can use network monitoring tools or intrusion detection systems to filter HTTP POST requests to the endpoint "/formModifyWebAuthWhiteUser" with suspiciously long webAuthWhiteID values.

Example command using tcpdump to capture HTTP POST requests to the vulnerable endpoint:

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /formModifyWebAuthWhiteUser'

Alternatively, use tools like Wireshark to filter HTTP traffic for POST requests to "/formModifyWebAuthWhiteUser" and inspect the parameters for unusually long webAuthWhiteID values.

Mitigation Strategies

Immediate mitigation steps include restricting access to the web management interface of the Tenda W15E router to trusted networks or IP addresses to prevent unauthorized HTTP requests to the vulnerable endpoint.

Additionally, monitor the device logs and network traffic for signs of exploitation attempts involving the formModifyWebAuthWhiteUser function.

If possible, update the router firmware to a version that addresses this vulnerability once it becomes available from the vendor.

As a temporary workaround, consider disabling remote management features or blocking HTTP POST requests to the "/formModifyWebAuthWhiteUser" endpoint via firewall rules.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart