CVE-2026-36778

Vulnerability

A stack-based buffer overflow vulnerability exists in the R7WebsSecurityHandler CGI handler of Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router, specifically affecting version v1.0.0.5(4180). The vulnerability is triggered by the username parameter, which is processed by the websGetVar function without length validation or sanitization. This allows for an unbounded copy via strcpy when a sufficiently long username is provided [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the R7WebsSecurityHandler CGI endpoint. The request must include a non-null password parameter and an overly long username parameter. The vulnerability is reachable as long as both parameters are non-null and a session slot is available, which is typically the case during normal operation [1].

Impact

Successful exploitation of this vulnerability can lead to a Denial of Service (DoS) by causing the device to crash or reboot. The reference also suggests the potential for arbitrary code execution, though this is not explicitly detailed [1].

Mitigation

No specific patched version or release date has been disclosed in the available references. Users are advised to check for firmware updates from Tenda. As of the available information, there are no disclosed workarounds, and the device has not been listed as end-of-life or on the KEV list [1].