A buffer overflow occurs in the picCropName parameter within the formCropAndSetWewifiPic function of the Tenda W20E router. The flaw allows an attacker to supply an overly long input string that overflows the designated buffer, leading to a crash of the affected process or the entire system, which in turn results in a denial of service. The primary impact is service disruption, and it does not directly lead to arbitrary code execution or data theft.

The vulnerability affects Shenzhen Tenda Technology’s Tenda W20E router running firmware version 15.11.0.6. No other affected versions are listed in the publicly available CVE data, so older or newer firmware may not be impacted, but the uncertainty advises caution.

The CVSS score is not disclosed in the information provided, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is a crafted HTTP request sent over the network to the router’s web interface, leveraging the formCropAndSetWewifiPic endpoint. Because the exploit requires network connectivity to the device, it is considered a local‑internal risk, but it could also be leveraged by external actors if the device is exposed to the Internet. The risk is primarily high due to the potential for disrupting network services, especially in environments where the router is a critical gateway.