VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 19, 2021· Updated Aug 4, 2024

CVE-2021-41436

CVE-2021-41436

Description

An HTTP request smuggling vulnerability in multiple ASUS router models allows a remote unauthenticated attacker to cause a denial of service via a crafted HTTP packet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An HTTP request smuggling vulnerability in multiple ASUS router models allows a remote unauthenticated attacker to cause a denial of service via a crafted HTTP packet.

Vulnerability

An HTTP request smuggling vulnerability exists in the web application component of multiple ASUS router models, including the ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series (RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, and ASUS ZenWiFi AX (XT8) devices running firmware versions prior to 3.0.0.4.386.45898, and the RT-AX68U prior to 3.0.0.4.386.45911 [1][2][3][4]. The flaw allows an attacker to smuggle HTTP requests by sending a specially crafted packet that the server interprets differently than the intended proxy or backend, disrupting normal HTTP processing.

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending a single specially crafted HTTP packet to the affected router's web interface [1][2][3][4]. No prior authentication or special network position is required; the attacker only needs network connectivity to the router's management interface. The crafted packet manipulates the HTTP request parsing to cause the server to misinterpret the request boundaries, leading to a denial of service condition.

Impact

Successful exploitation allows an unauthenticated remote attacker to cause a denial of service (DoS) condition on the affected router [1][2][3][4]. The attacker disrupts the normal operation of the web application, potentially making the router's management interface unavailable. The vulnerability does not directly lead to code execution or data disclosure, but the DoS can prevent legitimate users from accessing router configuration and monitoring features.

Mitigation

The vulnerability is fixed in firmware version 3.0.0.4.386.45898 for most affected models, and version 3.0.0.4.386.45911 for the RT-AX68U [1][2][3][4]. Users should update their router firmware to the latest available version from ASUS's official support pages. No workarounds have been publicly disclosed for unpatched devices. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. RT-AX68U|WiFi Routers|ASUS Global
  2. RT-AX56U|WiFi Routers|ASUS Global
  3. ASUS ZenWiFi XD6 Series(XD6/XD6S)
  4. RT-AX3000|WiFi Routers|ASUS Global

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • ASUS/ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series, RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400, ZenWiFi XD6, ZenWiFi AXdescription
  • Asus/ROG Rapture GT-AX11000llm-create
    Range: <3.0.0.4.386.45898
  • Asus/ZenWiFi AX (XT8)llm-create
    Range: <3.0.0.4.386.45898
  • Asus/RT-AX3000llm-fuzzy
    Range: <3.0.0.4.386.45898

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

8

News mentions

0

No linked articles in our index yet.