Tenda Routers: 25 Buffer Overflow CVEs Disclosed Across Four Models in Single-Day Batch
Twenty-five buffer overflow vulnerabilities were disclosed across four Tenda router models on June 9, 2026, all exploitable via crafted HTTP requests to cause denial of service.
Key findings
- 25 buffer overflow CVEs disclosed in a single day across four Tenda router models
- Ten of the CVEs affect the Tenda W15E (v15.11.0.10) alone
- All but one CVE are rated High severity (CVSS 7.5); one is Medium (6.5)
- Every vulnerability can be triggered via a crafted HTTP request to the web interface
- No vendor patches or advisories have been released as of disclosure date
- Flaws span authentication, DHCP, portal, and debug functions
On June 9, 2026, a batch of 25 buffer overflow vulnerabilities was disclosed across four Tenda router models — the W20E, W15E, G0, and PW201A — all carrying a CVSSv3 score of 7.5 (High) except for one rated 6.5 (Medium). The sheer volume of flaws disclosed in a single day points to systemic input-validation weaknesses in Tenda's web management interfaces, affecting devices that are often deployed in small-office and enterprise edge networks.
Tenda W15E — Ten Buffer Overflows
The largest share of the batch targets the Tenda W15E (v15.11.0.10), with ten distinct CVEs. These include CVE-2026-36806 and CVE-2026-36807 in the webAuthUserPwd parameter of the formModifyWebAuthUser and formAddWebAuthUser functions, respectively, as well as CVE-2026-36808 in the webAuthUserInfo parameter of formAddWebAuthUser. The formPortalAuth function is hit via the gotoUrl parameter (CVE-2026-36810), and the formCropAndSetWewifiPic function via picCropName (CVE-2026-36813). Additional flaws were found in formDelwebAuthPic (CVE-2026-36811), formSetNetCheckTools (CVE-2026-36815), formAddWewifiWhiteUser (CVE-2026-36816), formAddWebAuthWhiteUser (CVE-2026-36817), and formModifyWebAuthWhiteUser (CVE-2026-36809). All ten are buffer overflows triggered by crafted HTTP requests, leading to denial of service Vypr Intelligence.
Tenda W20E — Six Buffer Overflows
The Tenda W20E (v15.11.0.6) accounts for six CVEs. CVE-2026-36823 targets the webAuthUserInfo parameter in formAddWebAuthUser, while CVE-2026-36822 hits the macAddr parameter in formDelStaState. The formCropAndSetWewifiPic function is affected via picCropName (CVE-2026-36821), and formAddWebAuthWhiteUser via webAuthWhiteUserInfo (CVE-2026-36820). The fromSetDhcpRules function is vulnerable through the bindMACAddr parameter (CVE-2026-36819), and formAddWewifiWhiteUser through wewifiWhiteUserInfo (CVE-2026-36818).
Tenda G0 — Six Buffer Overflows
The Tenda G0 (v15.11.0.5) contributes six CVEs. CVE-2026-36805 describes multiple buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. The formIPMacBindAdd function is vulnerable through IPMacBindRule (CVE-2026-36801), and formIPMacBindDel through IPMacBindIndex (CVE-2026-36800). CVE-2026-36799 affects the formPortalAuth function via the portalAuth parameter, and CVE-2026-36797 targets formIPMacBindModify via IPMacBindRuleIp. The only Medium-severity CVE in the batch, CVE-2026-36798 (CVSS 6.5), involves multiple stack overflows in the formSetDebugCfgr function through the enable, level, and module parameters.
Tenda PW201A — Two Buffer Overflows
The PW201A (v1.0.5) has two CVEs: CVE-2026-36803 in the page parameter of the qossetting function, and CVE-2026-36802 in the page parameter of the SafeMacFilter function.
Impact and Response
All 25 vulnerabilities share the same impact — an unauthenticated or low-privilege attacker can send a specially crafted HTTP request to the router's web interface, triggering a buffer overflow that crashes the device and causes a denial of service. No evidence of remote code execution or data exfiltration has been reported for these specific CVEs. As of the disclosure date, Tenda has not released a coordinated security advisory or firmware updates for the affected models. Users are advised to restrict administrative web interface access to trusted internal networks and monitor Tenda's official support channels for patch announcements.
Why This Batch Matters
The simultaneous disclosure of 25 buffer overflows across four Tenda router families underscores a recurring pattern in consumer and SOHO networking equipment: web management interfaces that lack basic input sanitization. While each individual CVE is a DoS bug, the concentration of flaws in authentication, DHCP, and portal functions suggests that a determined attacker could chain multiple overflows or use them as a foothold for deeper exploitation. Organizations running Tenda W20E, W15E, G0, or PW201A devices should treat this batch as a signal to audit their network-edge security posture and push for vendor-supplied fixes.