FKIE_CVE-2026-0918

Vulnerability from fkie_nvd - Published: 2026-01-27 18:15 - Updated: 2026-03-16 18:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
References
f23511db-6c3e-4e32-a477-6aa17d310630https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/en/support/download/tapo-c220/v1/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/en/support/download/tapo-c520ws/v2/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/download/tapo-c100/v5/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/download/tapo-c220/v1.60/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/download/tapo-c520ws/v2/Product
f23511db-6c3e-4e32-a477-6aa17d310630https://www.tp-link.com/us/support/faq/4923/Vendor Advisory
Impacted products
Vendor Product Version
tp-link tapo_c220_firmware *
tp-link tapo_c220 1
tp-link tapo_c520ws_firmware *
tp-link tapo_c520ws 2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tp-link:tapo_c220_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F337B275-4344-4B21-9C3F-5E01F56C8015",
              "versionEndExcluding": "1.4.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tp-link:tapo_c220:1:*:*:*:*:*:*:*",
              "matchCriteriaId": "671BCAEE-4AA0-4924-88E2-3B3C9087D171",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "65DE4797-2C90-4C4A-BCA1-41F514F8153D",
              "versionEndExcluding": "1.2.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:tp-link:tapo_c520ws:2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8E6B561-8739-4823-9226-82FE5084EE01",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Tapo C220 v1 and C520WS v2 cameras\u2019 HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash.\u00a0An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable."
    },
    {
      "lang": "es",
      "value": "El servicio HTTP de las c\u00e1maras Tapo C220 v1 y C520WS v2 no maneja de forma segura las solicitudes POST que contienen una cabecera Content-Length excesivamente grande. La asignaci\u00f3n de memoria fallida resultante desencadena una desreferenciaci\u00f3n de puntero NULL, provocando la ca\u00edda del proceso del servicio principal. Un atacante no autenticado puede provocar la ca\u00edda repetida del servicio, causando una denegaci\u00f3n de servicio temporal. El dispositivo se reinicia autom\u00e1ticamente, y las solicitudes repetidas pueden mantenerlo no disponible."
    }
  ],
  "id": "CVE-2026-0918",
  "lastModified": "2026-03-16T18:16:06.617",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "ADJACENT",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T18:15:54.973",
  "references": [
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "url": "https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/us/support/download/tapo-c100/v5/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/us/support/download/tapo-c220/v1.60/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Product"
      ],
      "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/v2/"
    },
    {
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.tp-link.com/us/support/faq/4923/"
    }
  ],
  "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "f23511db-6c3e-4e32-a477-6aa17d310630",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.