CVE-2026-36789
Description
Tenda AC1206 v15.03.06.23 has stack overflows in fromGstDhcpSetSer via username/password, allowing DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda AC1206 v15.03.06.23 has stack overflows in fromGstDhcpSetSer via username/password, allowing DoS.
Vulnerability
Multiple stack overflows exist in the fromGstDhcpSetSer function of Shenzhen Tenda Technology Co., Ltd Tenda AC1206 firmware version v15.03.06.23. These vulnerabilities are reachable via the fromGstDhcpSetSer CGI handler and are triggered by user-controlled username and password parameters, which lack proper length validation or sanitization before being copied using strncpy [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the fromGstDhcpSetSer CGI endpoint. The request must include a long string for the dips parameter, such as a*188 or more, to trigger the buffer overflow condition [1].
Impact
Successful exploitation of these vulnerabilities can lead to a Denial of Service (DoS) by causing the device to crash or reboot. The references also suggest the potential for remote code execution [1].
Mitigation
No patched version or specific mitigation details are available in the provided references. The vulnerability was publicly disclosed on 2026-06-06 [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Tenda Routers: 13 Stack Overflow and Command Injection Vulnerabilities DisclosedVypr Intelligence · Jun 8, 2026