TP-Link Tapo Camera CVE-2026-0918
HIGHSeverity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
AnalysisAI
Null pointer dereference in TP-Link Tapo C220 v1 and C520WS v2 cameras allows adjacent network attackers to crash the HTTP service via malformed POST requests with excessive Content-Length headers. Attackers can sustain denial of service through repeated crashes despite automatic device restarts. EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.
Technical ContextAI
The vulnerability exists in the HTTP service implementation of TP-Link Tapo camera firmware (CPE: cpe:2.3:o:tp-link:tapo_c220_firmware and cpe:2.3:o:tp-link:tapo_c520ws_firmware). When processing POST requests, the service fails to validate Content-Length header values before attempting memory allocation. An excessively large value causes malloc or similar allocation functions to fail, returning NULL. The code then dereferences this NULL pointer without checking the allocation result, triggering a segmentation fault that crashes the main service process. This is a classic instance of CWE-476 (NULL Pointer Dereference), a common memory safety issue in C/C++ applications that fail to validate dynamic memory allocation results. The vulnerability affects the camera's network-accessible control interface, which manages device configuration and streaming functionality.
RemediationAI
Update affected Tapo cameras to patched firmware versions available from TP-Link support downloads: Tapo C220 v1 firmware at https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ and Tapo C520WS v2 firmware at https://www.tp-link.com/us/support/download/tapo-c520ws/v2/. Exact patched firmware version numbers not independently confirmed from available data - verify current version against vendor advisory at https://www.tp-link.com/us/support/faq/4923/. If immediate patching is not feasible, implement network-level compensating controls: isolate cameras on dedicated VLAN with firewall rules restricting access to only trusted management hosts (trade-off: reduces convenience of mobile app access from all devices); configure intrusion prevention system signatures to detect and block HTTP POST requests with Content-Length headers exceeding reasonable thresholds for camera API operations, typically under 10MB (trade-off: may require tuning to avoid blocking legitimate firmware updates or large configuration uploads); deploy network monitoring to alert on repeated camera service restarts indicating active exploitation attempts. These mitigations reduce but do not eliminate risk, as they depend on correct network segmentation and may not prevent attacks from compromised devices within the camera VLAN.
More in Tapo C220 Firmware
View allUnauthenticated remote attackers can crash core system services on Tapo C220 and C520WS cameras by sending specially cra
Tapo C220 and C520WS network cameras contain an HTTP parser defect that crashes the device when processing requests with
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today