Description
Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the hostname parameter of the formSetNetCheckTools function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Shenzhen Tenda Technology Co., Ltd. disclosed a buffer overflow flaw in the hostname parameter of the formSetNetCheckTools function in its Tenda W15E router firmware version 15.11.0.10. The overflow occurs when an attacker sends a specially crafted HTTP request containing an overly long hostname, which can cause the router’s software to crash and become unresponsive. The vulnerability does not provide code execution or sensitive data exposure; it simply makes the device unavailable until re‑started, leading to a denial of service for users on the affected network.

Affected Systems

The issue affects routers running the Tenda W15E firmware version 15.11.0.10. No other Tenda products or firmware revisions are listed as vulnerable. The flaw resides in the web‑based configuration interface of the device.

Risk and Exploitability

An attacker with network access to the router’s HTTP management interface can trigger the overflow by sending a malicious request to the formSetNetCheckTools endpoint. Because the vulnerability is triggered remotely, the risk is contingent on the router’s exposure to untrusted networks. The EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog; the CVSS score is 7.5, indicating a high‑impact denial of service. Successfully exploited, the device would be inoperable, potentially disrupting network connectivity for all hosts on the network.

Generated by OpenCVE AI on June 10, 2026 at 23:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router firmware to a version that incorporates the buffer overflow fix.
  • If an update is unavailable, block external access to the formSetNetCheckTools endpoint or disable the web configuration interface from untrusted networks.
  • Implement firewall rules to restrict HTTP management traffic to trusted LAN subnets only and monitor logs for suspicious payload lengths.

Generated by OpenCVE AI on June 10, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Buffer Overflow in Tenda W15E Hostname Parameter
Weaknesses CWE-787

Wed, 10 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda w15e
Vendors & Products Tenda
Tenda w15e

Tue, 09 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Buffer Overflow in Tenda W15E Hostname Parameter
Weaknesses CWE-120
CWE-787

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the hostname parameter of the formSetNetCheckTools function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
References

Subscriptions

Tenda W15e
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-10T19:31:46.136Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36815

cve-icon Vulnrichment

Updated: 2026-06-10T19:04:25.019Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T19:17:47.090

Modified: 2026-06-10T20:17:15.940

Link: CVE-2026-36815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:45:44Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')