CVE-2026-36770

Vulnerability

A stack-based buffer overflow vulnerability exists in the ask_to_reboot function within the wireless configuration handler of Shenzhen Tenda Technology Co., Ltd Tenda US_W3V1.0BR v1.0.0.3. The vulnerability is triggered when processing the user-controlled HTTP parameter GO which is passed to ask_to_reboot and then concatenated into a fixed-size stack buffer using an unbounded sprintf function, potentially leading to a crash or reboot [1].

Exploitation

An attacker needs network access to the device and can trigger the vulnerability by sending a crafted HTTP request to the ask_to_reboot CGI handler. The request must contain an excessively long value for the GO parameter, and a specific runtime condition (bVar1 != 0) must be met to reach the vulnerable sprintf path [1].

Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) by causing the httpd process to crash or the device to reboot. Depending on the device's architecture and runtime protections, there is also a potential for arbitrary code execution [1].

Mitigation

No specific patched version or release date is disclosed in the available references. It is recommended to consult Tenda for any available security updates. The vulnerability was publicly disclosed on 2026-06-06 [1].