Skip to main content

Arduino Tuyaopen EUVDEUVD-2026-12228

| CVE-2026-28521 HIGH
Out-of-bounds Read (CWE-125)
2026-03-15 VulnCheck
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:22 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.2.1
EUVD ID Assigned
Mar 15, 2026 - 14:00 euvd
EUVD-2026-12228
Analysis Generated
Mar 15, 2026 - 14:00 vuln.today
CVE Published
Mar 15, 2026 - 13:35 nvd
HIGH 7.7

DescriptionCVE.org

arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition.

AnalysisAI

CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or hijack Tuya cloud service
Exploit
Send crafted DP event data to device
Execution
Trigger out-of-bounds memory read
Impact
Disclose sensitive information or crash device

Vulnerability AssessmentAI

Exploitation Tuya cloud service compromise or MITM capability required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The risk profile shows conflicting signals: CVSS 7.7 (High) indicates significant impact, but the attack vector is marked as Local (AV:L) despite the description stating cloud-based exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker would first need to compromise Tuya's cloud infrastructure or perform a man-in-the-middle attack on the communication between IoT devices and Tuya cloud. Once positioned, they could send specially crafted DP event messages containing malformed data that triggers out-of-bounds reads in the device's memory. …
Remediation Upgrade arduino-TuyaOpen library to version 1.2.1 or later, which contains the fix for this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all IoT devices and systems using arduino-TuyaOpen library versions prior to 1.2.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-12228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy