Skip to main content

Arduino Tuyaopen CVE-2026-28519

| EUVDEUVD-2026-12226 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-03-15 VulnCheck
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:22 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.1
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2026-12226
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:36 nvd
HIGH 8.8

DescriptionCVE.org

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing execution of arbitrary code on affected embedded devices.

AnalysisAI

Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.

Technical ContextAI

The vulnerability affects the arduino-TuyaOpen library (CPE: cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:*), which is used in Tuya's IoT ecosystem for embedded device development. The flaw is classified as CWE-122 (Heap-based Buffer Overflow), occurring when the DnsServer component fails to properly validate the size of incoming DNS response data before copying it to a heap buffer. This library is commonly used in smart home devices, sensors, and other IoT products that integrate with the Tuya platform.

RemediationAI

Update to arduino-TuyaOpen version 1.2.1 or later, which contains the fix for this vulnerability. The vendor advisory is available at https://src.tuya.com/announcement/32. For devices that cannot be immediately updated, network segmentation can reduce risk by isolating IoT devices from untrusted network segments and implementing strict DNS server access controls. Monitor the official GitHub repository at https://github.com/tuya/arduino-TuyaOpen for additional updates.

Share

CVE-2026-28519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy