CVE-2026-36958
Published: 30 April 2026
Summary
CVE-2026-36958 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in U-Speed N300 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections such as rate limiting on the web management interface to block resource-exhausting floods of concurrent HTTP requests.
Protects system resource availability through allocation controls that prevent exhaustion by excessive unauthenticated HTTP requests to the Boa server.
Remediates the specific flaw in the embedded Boa HTTP server that allows uncontrolled resource consumption from random endpoint requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables an Application Exhaustion Flood by allowing unauthenticated remote attackers to send large numbers of concurrent HTTP requests to the web management interface, exhausting resources and rendering it unresponsive.
NVD Description
A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa…
more
HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.
Deeper analysisAI
CVE-2026-36958 is a denial-of-service vulnerability affecting the U-SPEED N300 V1.0.0 wireless router. The issue resides in the embedded Boa HTTP server handling the web management interface. By sending a large number of concurrent HTTP requests to random or non-existent endpoints, an attacker can exhaust system resources, rendering the router's web interface unresponsive and potentially requiring a manual reboot to restore functionality. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).
The attack requires network access to the router's web management interface, which is accessible remotely if exposed to the internet or locally within the network. No authentication, privileges, or user interaction are needed, making it straightforward for unauthenticated remote attackers to exploit. Successful exploitation achieves a high-impact denial of service specifically against the web interface, disrupting administrative access without affecting other router functions like connectivity.
Mitigation guidance and additional details are available in advisories referenced at http://u-speed.com and the GitHub repository https://github.com/kirubel-cve/CVE-2026-36958, published on 2026-04-30.
Details
- CWE(s)