Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing execution of arbitrary code on affected embedded devices.
AnalysisAI
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
Technical ContextAI
The vulnerability affects the arduino-TuyaOpen library (CPE: cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:*), which is used in Tuya's IoT ecosystem for embedded device development. The flaw is classified as CWE-122 (Heap-based Buffer Overflow), occurring when the DnsServer component fails to properly validate the size of incoming DNS response data before copying it to a heap buffer. This library is commonly used in smart home devices, sensors, and other IoT products that integrate with the Tuya platform.
RemediationAI
Update to arduino-TuyaOpen version 1.2.1 or later, which contains the fix for this vulnerability. The vendor advisory is available at https://src.tuya.com/announcement/32. For devices that cannot be immediately updated, network segmentation can reduce risk by isolating IoT devices from untrusted network segments and implementing strict DNS server access controls. Monitor the official GitHub repository at https://github.com/tuya/arduino-TuyaOpen for additional updates.
More in Arduino Tuyaopen
View allSingle-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that al
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versio
Arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in its WiFiUDP component that al
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12226