CVE-2026-36817 - Vulnerability Details

- Buffer Overflow in Tenda W15E Router Causing Denial of Service

Description

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Published: 2026-06-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Shenzhen Tenda Technology’s Tenda W15E router firmware version 15.11.0.10 contains a buffer overflow that is triggered by sending a specially crafted HTTP request to the formAddWebAuthWhiteUser endpoint. The overflow occurs in the webAuthWhiteUserInfo parameter of that function, allowing an attacker to corrupt memory and crash the device, which results in a denial of service to all users of the router’s web interface. The weakness is a classic example of a buffer overflow (CWE-120).

Affected Systems

The vulnerability affects only the Tenda W15E router produced by Shenzhen Tenda Technology, specifically firmware version 15.11.0.10. No other revisions or firmware versions are mentioned as affected in the advisory.

Risk and Exploitability

The EPSS score indicates a very low probability of exploitation (<1%), while the CVSS score of 7.5 classifies the issue as medium severity. The vulnerability is not listed in CISA KEV, suggesting it is not actively exploited. The attack vector is inferred from the description and is an externally reachable HTTP request to the formAddWebAuthWhiteUser endpoint, which can be sent from any network segment that can reach the device. Although denial of service is the primary risk, the likelihood of exploitation remains low according to the available metrics.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Tenda

W15e

100%

Version	Status	Scheme	Platform
`15.11.0.10`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Search for and install any vendor firmware update that contains a fix for the buffer overflow in formAddWebAuthWhiteUser
Restrict access to the router’s web interface by limiting it to trusted networks or disabling the affected function if configuration allows
Deploy logging or monitoring to detect repeated HTTP requests to formAddWebAuthWhiteUser and alert operators if suspicious activity occurs

Generated by OpenCVE AI on June 10, 2026 at 23:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00309.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xhh0124/SemVulLLM/tree/main/W15E/formAddWebAuthWhiteUser

History

Thu, 11 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in Tenda W15E Router Causing Denial of Service

Wed, 10 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title	DoS via Buffer Overflow in Tenda W15E WebAuth Parameter
Weaknesses	CWE-119

Wed, 10 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda Tenda w15e
Vendors & Products		Tenda Tenda w15e

Tue, 09 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title		DoS via Buffer Overflow in Tenda W15E WebAuth Parameter
Weaknesses		CWE-119

Tue, 09 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
References		https://github.com/xhh0124/SemVulLLM/tree/main/W15E/formAddWebAuthWhiteUser

Subscriptions

Tenda W15e

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-09T00:00:00.000Z

Updated: 2026-06-10T19:31:33.482Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36817

Vulnrichment

Updated: 2026-06-10T19:04:22.537Z

NVD

Status : Deferred

Published: 2026-06-09T19:17:47.363

Modified: 2026-06-10T20:17:21.547

Link: CVE-2026-36817

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:45:44Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object