CVE-2026-36779

Vulnerability

Multiple stack overflows exist in the fromVirtualSer function of Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router, specifically in version v1.0.0.5(4180) [1]. These vulnerabilities are triggered by user-controlled parameters puVar2, puVar1, __s2, __s1_00, and puVar3 which are retrieved via websGetVar without length validation or sanitization. The sprintf function then performs an unbounded copy, leading to overwrites of adjacent stack memory [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the fromVirtualSer CGI endpoint. This request must contain overly long values for any of the parameters puVar2, puVar1, __s2, __s1_00, or puVar3. The vulnerability is reachable if the wans.flag value is set to "1" [1].

Impact

Successful exploitation of these stack overflows can lead to a Denial of Service (DoS) by causing the device to crash or reboot [1]. The references also suggest the potential for arbitrary code execution, although this is not explicitly detailed [1].

Mitigation

Fixed versions and release dates are not yet disclosed in the available references. No workarounds or EOL status are mentioned. The vulnerability has not been listed on the KEV catalog as of the available information [1].