Description
Shenzhen Tenda Technology Co., Ltd Tenda US_W3V1.0BR v1.0.0.3 was discovered to contain a stack overflow in the Go parameter of the ask_to_reboot function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack-based buffer overflow caused by the Go parameter in the ask_to_reboot function of Tenda US_W3V1.0BR v1.0.0.3. The overflow can be triggered by a crafted input, leading the device to crash or reboot and thereby rendering it unavailable. This defect falls under CWE‑121 and can cause a denial of service on the affected device, impacting availability but not confidentiality or integrity.

Affected Systems

The flaw affects Shenzhen Tenda Technology Co., Ltd devices running the US_W3V1.0BR firmware version 1.0.0.3. No other versions are explicitly listed as vulnerable, but earlier firmware revisions that include the ask_to_reboot function may also be affected if they contain similar code.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity for the likely impact of a denial of service. With no EPSS data available and the vulnerability not flagged in the CISA KEV catalog, the exploitation probability is unclear but could be moderate if attackers discover the exposed interface. The attack requires sending a crafted parameter to the vulnerable function; the path and prerequisites are not fully detailed, so it is inferred that attackers need access to the device’s management interface or a network path that allows reaching the ask_to_reboot endpoint.

Generated by OpenCVE AI on June 9, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to a version that removes or mitigates the vulnerable ask_to_reboot implementation
  • If a firmware update is not yet available, restrict the exposure of the ask_to_reboot endpoint to authorized administrators only and enforce authentication before accepting input
  • Apply input validation or size limits to the Go parameter in the function to prevent buffer overflows, or patch the code to handle excessive values safely
  • Monitor device logs for abnormal reboots or crash events and implement network filtering to block suspicious traffic with unusually large or malformed request payloads

Generated by OpenCVE AI on June 9, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Stack Overflow in Tenda US_W3V1.0BR Firmware Allows DoS

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda Technology Co., Ltd Tenda US_W3V1.0BR v1.0.0.3 was discovered to contain a stack overflow in the Go parameter of the ask_to_reboot function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:08:48.707Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36770

cve-icon Vulnrichment

Updated: 2026-06-09T19:08:43.025Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:43.440

Modified: 2026-06-09T20:16:43.230

Link: CVE-2026-36770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:00:15Z

Weaknesses