CVE-2026-36957
Published: 30 April 2026
Summary
CVE-2026-36957 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Dbitnet Dbit N300 T1 Pro Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 directly protects against denial-of-service floods like high-volume HTTP GET requests to non-existent URIs that exhaust resources.
SI-2 ensures identification, reporting, and correction of the specific flaw in the boa web server URI handler causing resource exhaustion.
SC-6 monitors and protects system resource availability, mitigating exhaustion of file descriptors and memory buffers from DoS attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables resource exhaustion DoS via HTTP GET flood to non-existent URIs on the public-facing web server, directly mapping to Application Exhaustion Flood (T1499.003) and Application or System Exploitation (T1499.004) causing system hang and unavailability.
NVD Description
Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical…
more
system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities.
Deeper analysisAI
The Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to CVE-2026-36957, a Denial of Service condition stemming from the boa web server URI handler. Published on 2026-04-30, this issue aligns with CWE-400 (Uncontrolled Resource Consumption) and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Attackers can exhaust critical system resources, such as file descriptors and memory buffers, by flooding the device with HTTP GET requests to non-existent URIs, resulting in a kernel deadlock or full system hang that disables the web management portal and routing functions.
Any unauthenticated attacker with network access to the router can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. Exploitation achieves high-impact availability disruption, effectively taking the router offline and severing connectivity for all dependent users and services.
Advisories and additional details are referenced at http://dbit.com and https://github.com/kirubel-cve/CVE-2026-36957, where practitioners can find vendor guidance and related resources for mitigation.
Details
- CWE(s)