EUVD-2026-12226
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing execution of arbitrary code on affected embedded devices.
Analysis
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all devices running arduino-TuyaOpen and assess network exposure; isolate critical deployments to segregated networks if possible. Within 7 days: Contact Tuya for patch availability status and timeline; implement network segmentation to restrict DNS traffic. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today