Tasmota CVE-2026-38427
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read.
AnalysisAI
Heap buffer overflow in Tasmota IoT firmware (through version 15.3.0.3) lets a remote attacker corrupt heap memory by manipulating the Content-Length of a JPEG stream processed by the fetch_jpg() routine in the scripter driver. Because the length is stored in a 16-bit integer, values above 65535 wrap to a small number, so the firmware allocates an undersized buffer and then reads the full, larger payload into it. Publicly available exploit code exists (a dedicated GitHub repository), CISA's SSVC framework rates exploitation as proof-of-concept and automatable, but the issue is not in CISA KEV and no public active exploitation is identified.
Technical ContextAI
Tasmota is widely deployed open-source firmware for ESP8266/ESP32-based smart-home and IoT devices. The vulnerable code is fetch_jpg() in tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, part of the optional Berry/scripter subsystem that can fetch images over HTTP. The root cause is CWE-122 (heap-based buffer overflow) driven by an integer-truncation defect: the HTTP Content-Length header is parsed into a uint16_t (maximum 65535), so any declared length above 65535 wraps modulo 65536 to a smaller value. The buffer is sized from that truncated value while the subsequent read consumes the actual (larger) body, writing past the end of the heap allocation. The referenced source blob (commit c207cc2) shows the affected file containing this allocation logic.
Affected ProductsAI
Tasmota firmware is affected in all releases through 15.3.0.3, specifically in the scripter driver file tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino as referenced at https://github.com/arendst/Tasmota/blob/c207cc2/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino. No CPE strings were supplied in the input, and no per-device or per-platform breakdown (ESP8266 vs ESP32 builds) is provided; only builds that include the scripter component are exposed. No separate vendor security advisory URL was included beyond the source repository link.
RemediationAI
No vendor-released patch version is identified at time of analysis - the only references are the source file at commit c207cc2 and a third-party POC repository (https://github.com/sermikr0/CVE-2026-38427), so upgrade to a fixed Tasmota build above 15.3.0.3 once the maintainer publishes one and confirm the fix in xdrv_10_scripter.ino. As compensating controls until a fixed release is available: disable or omit the scripter/fetch_jpg functionality in the build if it is not required (removes the vulnerable code path at the cost of losing scripted image fetching); restrict scripts so they only fetch JPEGs from trusted, fixed URLs rather than attacker-influenceable endpoints; and enforce HTTPS with certificate validation plus network segmentation so an on-path attacker cannot inject a crafted Content-Length response (trade-off: added configuration and possible memory overhead on constrained devices). Monitor the arendst/Tasmota repository for the upstream fix and apply it promptly.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today