Skip to main content

Tasmota CVE-2026-38422

HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-27 cve@mitre.org
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 14:23 vuln.today
CVSS changed
May 28, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function.

AnalysisAI

Remote code execution in Tasmota firmware version 15.3.0.3 and earlier allows remote unauthenticated attackers to trigger a stack-based buffer overflow in the fetch_jpg() function of the xdrv_10_scripter.ino scripting driver. The flaw is exposed over the network with low complexity and no privileges required (CVSS 7.3 AV:N/AC:L/PR:N/UI:N), and a public proof-of-concept repository has been registered, though no public exploit code was identified in the references at time of analysis. EPSS probability is very low (0.05%, 15th percentile) and the issue is not listed in CISA KEV.

Technical ContextAI

Tasmota is an open-source firmware widely deployed on ESP8266/ESP32 microcontrollers for smart-home and IoT devices, providing MQTT, HTTP, and a built-in rule/scripting engine. The vulnerable code lives in the optional Scripter driver (xdrv_10_scripter.ino), specifically the fetch_jpg() helper that downloads JPEG content over HTTP for use inside user scripts. CWE-121 (Stack-Based Buffer Overflow) identifies the root cause: a fixed-size stack buffer is written without proper length validation against attacker-influenced input, allowing the stack frame - including saved return addresses on the ESP architecture - to be corrupted. Because Tasmota firmware images are statically linked with limited mitigations on ESP targets (no ASLR, no canaries in stock builds), stack corruption is a realistic path to arbitrary code execution on the device.

Affected ProductsAI

The affected product is Tasmota firmware (arendst/Tasmota) version 15.3.0.3 and all earlier releases, with the vulnerable code in tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino on the development branch (https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino). No CPE strings were provided in the input data, and no separate vendor advisory was supplied beyond the upstream GitHub repository at https://github.com/arendst/Tasmota; downstream device builds that include the Scripter driver (a compile-time option commonly enabled in tasmota32-script and similar variants) inherit the flaw.

RemediationAI

No vendor-released patched version is cited in the provided references, so treat this as: released patched version not independently confirmed - track the upstream repository at https://github.com/arendst/Tasmota for a release after 15.3.0.3 and rebuild/flash affected devices once available. Until a fixed release is published, the most effective compensating control is to build or flash a Tasmota image that omits the Scripter driver (remove USE_SCRIPT from user_config_override.h), which fully eliminates the vulnerable fetch_jpg() code path at the cost of losing in-device scripting; if scripting must remain enabled, avoid scripts that invoke fetch_jpg() against untrusted URLs and restrict outbound HTTP from the device by network policy. Network-layer mitigations - placing Tasmota devices on an isolated VLAN, blocking arbitrary outbound HTTP from IoT segments, and restricting management access to trusted hosts - reduce exposure but do not remove the underlying stack overflow, and may break legitimate cloud/MQTT integrations.

Share

CVE-2026-38422 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy