Cyber Resilience

CVE-2026-36958

HighPublic PoCDDoS

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 22.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-36958 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in U-Speed N300 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-36958 is a denial-of-service vulnerability affecting the U-SPEED N300 V1.0.0 wireless router. The issue resides in the embedded Boa HTTP server handling the web management interface. By sending a large number of concurrent HTTP requests to random or non-existent endpoints, an attacker can exhaust system resources, rendering the router's web interface unresponsive and potentially requiring a manual reboot to restore functionality. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).

The attack requires network access to the router's web management interface, which is accessible remotely if exposed to the internet or locally within the network. No authentication, privileges, or user interaction are needed, making it straightforward for unauthenticated remote attackers to exploit. Successful exploitation achieves a high-impact denial of service specifically against the web interface, disrupting administrative access without affecting other router functions like connectivity.

Mitigation guidance and additional details are available in advisories referenced at http://u-speed.com and the GitHub repository https://github.com/kirubel-cve/CVE-2026-36958, published on 2026-04-30.

EU & UK References

Vulnerability details

A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa…

more

HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

The vulnerability directly enables an Application Exhaustion Flood by allowing unauthenticated remote attackers to send large numbers of concurrent HTTP requests to the web management interface, exhausting resources and rendering it unresponsive.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-36959Same product: U-Speed N300
CVE-2026-4726Shared CWE-400
CVE-2025-21545Shared CWE-400
CVE-2026-6780Shared CWE-400
CVE-2024-56940Shared CWE-400
CVE-2026-26937Shared CWE-400
CVE-2025-2586Shared CWE-400
CVE-2026-47073Shared CWE-400
CVE-2026-25771Shared CWE-400
CVE-2023-51316Shared CWE-400

Affected Assets

u-speed
n300 firmware
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections such as rate limiting on the web management interface to block resource-exhausting floods of concurrent HTTP requests.

prevent

Protects system resource availability through allocation controls that prevent exhaustion by excessive unauthenticated HTTP requests to the Boa server.

prevent

Remediates the specific flaw in the embedded Boa HTTP server that allows uncontrolled resource consumption from random endpoint requests.

References