Skip to main content

Tasmota CVE-2026-38427

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-27 cve@mitre.org
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:35 vuln.today

DescriptionCVE.org

An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read.

AnalysisAI

Heap buffer overflow in Tasmota IoT firmware (through version 15.3.0.3) lets a remote attacker corrupt heap memory by manipulating the Content-Length of a JPEG stream processed by the fetch_jpg() routine in the scripter driver. Because the length is stored in a 16-bit integer, values above 65535 wrap to a small number, so the firmware allocates an undersized buffer and then reads the full, larger payload into it. Publicly available exploit code exists (a dedicated GitHub repository), CISA's SSVC framework rates exploitation as proof-of-concept and automatable, but the issue is not in CISA KEV and no public active exploitation is identified.

Technical ContextAI

Tasmota is widely deployed open-source firmware for ESP8266/ESP32-based smart-home and IoT devices. The vulnerable code is fetch_jpg() in tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, part of the optional Berry/scripter subsystem that can fetch images over HTTP. The root cause is CWE-122 (heap-based buffer overflow) driven by an integer-truncation defect: the HTTP Content-Length header is parsed into a uint16_t (maximum 65535), so any declared length above 65535 wraps modulo 65536 to a smaller value. The buffer is sized from that truncated value while the subsequent read consumes the actual (larger) body, writing past the end of the heap allocation. The referenced source blob (commit c207cc2) shows the affected file containing this allocation logic.

Affected ProductsAI

Tasmota firmware is affected in all releases through 15.3.0.3, specifically in the scripter driver file tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino as referenced at https://github.com/arendst/Tasmota/blob/c207cc2/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino. No CPE strings were supplied in the input, and no per-device or per-platform breakdown (ESP8266 vs ESP32 builds) is provided; only builds that include the scripter component are exposed. No separate vendor security advisory URL was included beyond the source repository link.

RemediationAI

No vendor-released patch version is identified at time of analysis - the only references are the source file at commit c207cc2 and a third-party POC repository (https://github.com/sermikr0/CVE-2026-38427), so upgrade to a fixed Tasmota build above 15.3.0.3 once the maintainer publishes one and confirm the fix in xdrv_10_scripter.ino. As compensating controls until a fixed release is available: disable or omit the scripter/fetch_jpg functionality in the build if it is not required (removes the vulnerable code path at the cost of losing scripted image fetching); restrict scripts so they only fetch JPEGs from trusted, fixed URLs rather than attacker-influenceable endpoints; and enforce HTTPS with certificate validation plus network segmentation so an on-path attacker cannot inject a crafted Content-Length response (trade-off: added configuration and possible memory overhead on constrained devices). Monitor the arendst/Tasmota repository for the upstream fix and apply it promptly.

Share

CVE-2026-38427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy