Skip to main content

TP-Link Tapo Camera CVE-2026-0918

HIGH
NULL Pointer Dereference (CWE-476)
2026-01-27 f23511db-6c3e-4e32-a477-6aa17d310630
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 29, 2026 - 01:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:43 vuln.today
cvss_changed
CVSS changed
Apr 29, 2026 - 01:43 NVD
7.5 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Jan 27, 2026 - 18:15 nvd
HIGH 7.5

DescriptionCVE.org

The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

AnalysisAI

Null pointer dereference in TP-Link Tapo C220 v1 and C520WS v2 cameras allows adjacent network attackers to crash the HTTP service via malformed POST requests with excessive Content-Length headers. Attackers can sustain denial of service through repeated crashes despite automatic device restarts. EPSS score is low (0.03%, 10th percentile), indicating minimal observed exploitation activity. No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

The vulnerability exists in the HTTP service implementation of TP-Link Tapo camera firmware (CPE: cpe:2.3:o:tp-link:tapo_c220_firmware and cpe:2.3:o:tp-link:tapo_c520ws_firmware). When processing POST requests, the service fails to validate Content-Length header values before attempting memory allocation. An excessively large value causes malloc or similar allocation functions to fail, returning NULL. The code then dereferences this NULL pointer without checking the allocation result, triggering a segmentation fault that crashes the main service process. This is a classic instance of CWE-476 (NULL Pointer Dereference), a common memory safety issue in C/C++ applications that fail to validate dynamic memory allocation results. The vulnerability affects the camera's network-accessible control interface, which manages device configuration and streaming functionality.

RemediationAI

Update affected Tapo cameras to patched firmware versions available from TP-Link support downloads: Tapo C220 v1 firmware at https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ and Tapo C520WS v2 firmware at https://www.tp-link.com/us/support/download/tapo-c520ws/v2/. Exact patched firmware version numbers not independently confirmed from available data - verify current version against vendor advisory at https://www.tp-link.com/us/support/faq/4923/. If immediate patching is not feasible, implement network-level compensating controls: isolate cameras on dedicated VLAN with firewall rules restricting access to only trusted management hosts (trade-off: reduces convenience of mobile app access from all devices); configure intrusion prevention system signatures to detect and block HTTP POST requests with Content-Length headers exceeding reasonable thresholds for camera API operations, typically under 10MB (trade-off: may require tuning to avoid blocking legitimate firmware updates or large configuration uploads); deploy network monitoring to alert on repeated camera service restarts indicating active exploitation attempts. These mitigations reduce but do not eliminate risk, as they depend on correct network segmentation and may not prevent attacks from compromised devices within the camera VLAN.

Share

CVE-2026-0918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy