Dbit N300 T1 Pro DoS crashes router (CVE-2026-36957)

Vendor-confirmed - CVE-2026-36957 is a high-severity Denial of Service vulnerability in the Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 that lets an unauthenticated attacker crash the device, disabling both the web portal and routing. No vendor patch has been released yet; apply the mitigations below.

Overview

CVE-2026-36957 affects the Dbit N300 T1 Pro router running firmware version V1.0.0. A high-volume flood of HTTP GET requests sent to non-existent URIs on the boa web server exhausts critical system resources, including file descriptors and memory buffers. This resource exhaustion leads to a kernel deadlock or system hang, which disables the web management interface and all routing capabilities.

An attacker with network access can exploit this vulnerability without authentication or user interaction (CVSS: 7.5, AV:N/AC:L/PR:N/UI:N). The attack requires no special privileges and can be launched from any device on the local network or from a remote network if the management interface is exposed to the internet.

The affected router is commonly used in small office and home deployments. While the vulnerability does not allow data theft or code execution, the resulting denial of service can cause prolonged network outages that require physical device power cycling to recover.

Remediation and Mitigation

No official firmware update from Dbit is currently available for this vulnerability. Until a patch is released, take the following steps to reduce risk:

• Disable remote web management access. Block port 80 and 443 on the WAN interface so the boa web server is only reachable from the local LAN.
• If remote administration is required, restrict source IPs to trusted management networks only.
• Consider deploying a network appliance that can perform rate limiting or rate-based ACLs to drop high-volume GET request floods directed at the router.
• Monitor router logs and network traffic for signs of abnormal HTTP request patterns targeting non-existent URIs.
• If the device is critical to operations, replace it with a model that receives security patches.

Security Insight

CVE-2026-36957 is an example of a classic resource exhaustion attack that the boa web server’s design fails to handle gracefully. The vulnerability echoes past DoS flaws in embedded web servers on consumer routers, where the combination of limited hardware resources and single-threaded request handling creates a soft target for even a modestly resourced attacker. Dbit’s delay in issuing a patch suggests that the product line may be nearing end-of-life, which is a broader risk for buyers of low-cost networking equipment.

For continued coverage of network security issues, see our security news. Data breach reports involving exploited network devices are available at breach reports, though this particular vulnerability has not been confirmed as exploited in the wild.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs