CVE-2026-36823
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36823
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tenda tenda_w20e 15.11.0.6
tenda w20e 15.11.0.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-36823 vulnerability affects the Tenda W20E router in the formAddWebAuthUser function. This function processes user input from the webAuthUserInfo parameter without proper bounds checking. Specifically, the parameter is passed to a strncpy operation without verifying its length, which can lead to a buffer overflow.

An attacker can exploit this by sending a specially crafted HTTP request containing a very long webAuthUserInfo parameter. This causes the buffer overflow, which can crash the process or destabilize the device, resulting in a denial of service (DoS).

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the affected Tenda W20E router. By exploiting the buffer overflow, an attacker can crash the router's process or cause device instability, potentially disrupting network connectivity and availability.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests sent to the Tenda W20E router that invoke the addWebAuthUser action with an unusually long webAuthUserInfo parameter.

Specifically, an attacker exploits the vulnerability by sending a crafted HTTP request containing a webAuthUserInfo parameter with a very long string (e.g., 888 'a' characters followed by 50 or more newline characters).

To detect such attempts, you can capture and inspect HTTP traffic targeting the router's web interface for requests containing the addWebAuthUser action and analyze the length and content of the webAuthUserInfo parameter.

  • Use a network packet capture tool like tcpdump or Wireshark to capture HTTP traffic on the router's management interface.
  • Example tcpdump command to capture HTTP traffic on interface eth0: tcpdump -i eth0 -A 'tcp port 80'
  • Search captured traffic for HTTP POST or GET requests containing 'addWebAuthUser' and inspect the webAuthUserInfo parameter length.
  • Use command-line tools like grep or strings on captured data to find suspiciously long webAuthUserInfo parameters.
Mitigation Strategies

Immediate mitigation steps include restricting access to the router's web management interface to trusted networks or IP addresses to prevent unauthorized HTTP requests.

Additionally, monitor the router for crashes or instability that may indicate exploitation attempts.

If possible, apply any available firmware updates or patches from the vendor that address this vulnerability.

As a temporary measure, consider disabling remote web management or using firewall rules to block suspicious HTTP requests containing the addWebAuthUser action.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36823. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart