Skip to main content

Arduino Tuyaopen CVE-2026-28522

| EUVDEUVD-2026-12229 HIGH
NULL Pointer Dereference (CWE-476)
2026-03-15 VulnCheck
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
May 26, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
May 26, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
May 26, 2026 - 14:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.1
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2026-12229
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:36 nvd
MEDIUM 6.5

DescriptionCVE.org

arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets to cause memory exhaustion on the device, triggering a null pointer dereference and resulting in a denial-of-service condition.

AnalysisAI

Arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in its WiFiUDP component that allows unauthenticated attackers on the same local network to trigger a denial-of-service condition by flooding the device with malicious UDP packets. The vulnerability causes memory exhaustion leading to application crashes; while not actively exploited in the wild (KEV status unknown from provided data), the local network attack vector and high availability impact (CVSS 6.5) warrant prompt patching for affected IoT deployments.

Technical ContextAI

The vulnerability exists in the WiFiUDP networking component of the arduino-TuyaOpen library (CPE: cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:*), which provides UDP socket functionality for IoT devices running Arduino-compatible firmware. The root cause is classified as CWE-476 (Null Pointer Dereference), indicating that the WiFiUDP handler fails to validate or properly allocate memory when processing incoming UDP packets under load. When an attacker sends a large volume of UDP packets, the component exhausts available heap memory without proper error handling, leading to null pointer dereferences when the application attempts to access freed or unallocated memory regions. This is a memory safety issue common in C/C++-based embedded libraries where bounds checking and resource limits are insufficient.

Share

CVE-2026-28522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy