VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026

CVE-2026-38422

CVE-2026-38422

Description

Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer overflow and integer wraparound in fetch_jpg() of Tasmota ≤15.3.0.3 allow remote unauthenticated attackers to achieve heap corruption and potentially execute arbitrary code.

Vulnerability

The fetch_jpg() function in tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino of Arendst Tasmota versions 15.3.0.3 and earlier contains two memory corruption vulnerabilities [1][2][3]. The first is a strcpy() overflow into a fixed 40-byte boundary[] buffer when processing a long boundary string from a Content-Type: multipart/x-mixed-replace header. The second is a uint16_t integer wraparound on the Content-Length header value, causing an undersized heap buffer allocation. An attacker must control an MJPEG server that the Tasmota device is configured to fetch from (e.g., via a Scripter rule) and send a crafted HTTP response [2].

Exploitation

An attacker first hosts a malicious MJPEG server reachable by the target ESP32 device running Tasmota. Upon initiating a fetch_jpg() call, the attacker sends an HTTP 200 response with a Content-Type boundary string longer than 40 characters, causing the strcpy() overflow that corrupts adjacent heap metadata. In the same session, the attacker then sends MJPEG frames where the Content-Length exceeds 65535, triggering integer wraparound in uint16_t and leading to a buffer allocation of 1 byte, followed by a readBytes() call that leaves 65536 bytes in the stream. This combined heap corruption increases the probability of overwriting vtable pointers of WiFiClient or HTTPClient objects [2].

Impact

Successful exploitation allows a remote, unauthenticated attacker to corrupt heap structures, potentially achieving arbitrary code execution on the ESP32 device. This could lead to full compromise of the Tasmota device, including control over connected sensors, relays, and network communications. At a minimum, the attack guarantees a denial-of-service (DoS) due to the heap and stream corruption [2].

Mitigation

As of the publication date (2026-05-27), a fixed version has not been officially released. Users should monitor the Tasmota repository for a patched release [1]. Until a fix is available, reduce the attack surface by only allowing outbound HTTP connections to trusted, known-host MJPEG servers and disabling Scripter or fetch_jpg() usage if not strictly required. The vulnerability has not been listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. GitHub - arendst/Tasmota: Alternative firmware for ESP8266 and ESP32 based devices with easy configuration using webUI, OTA updates, automation using timers or rules, expandability and entirely local control over MQTT, HTTP, Serial or KNX. Full documentation at
  2. GitHub - sermikr0/CVE-2026-38422: CVE-2026-38422 — Remote Code Execution via Combined Buffer Overflows in Tasmota fetch_jpg() (Tasmota <= 15.3.0.3)
  3. Tasmota/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino at development · arendst/Tasmota

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds checking in `strcpy()` for the boundary string and use of `uint16_t` for Content-Length parsing, allowing integer wraparound."

Attack vector

An attacker controls an MJPEG server that the Tasmota device connects to via the `fetch_jpg()` scripter function. In Phase 1, the attacker sends an HTTP 200 response with a `boundary` string longer than 40 characters in the `Content-Type: multipart/x-mixed-replace` header, causing a `strcpy()` overflow into adjacent heap memory and corrupting vtable pointers of WiFiClient/HTTPClient objects [ref_id=2]. In Phase 2, the attacker sends an MJPEG frame with a `Content-Length` header value exceeding 65535 (e.g., 65537), which wraps around a `uint16_t` to a small value (e.g., 1), causing an undersized heap allocation and subsequent stream state corruption when the remaining bytes are read [ref_id=2]. Used together in a single attack session, these two primitives maximize heap corruption and significantly increase the probability of achieving arbitrary code execution [ref_id=2].

Affected code

The vulnerability resides in the `fetch_jpg()` function within `tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino` [ref_id=2]. Two distinct code paths are at fault: a `strcpy()` into a fixed 40-byte boundary buffer (Phase 1, case 0) and a `uint16_t` integer wraparound on the Content-Length header value (Phase 2, case 2) [ref_id=2].

What the fix does

The bundle does not include a patch diff or advisory with remediation steps. The researcher's disclosure notes the vulnerabilities were reported to Tasmota before publication, but no fix is shown in the provided materials [ref_id=2]. A proper fix would need to replace the unbounded `strcpy()` with a bounds-checked copy (e.g., `strlcpy`) for the boundary buffer, and change the Content-Length parsing to use a larger integer type (e.g., `uint32_t` or `size_t`) with a maximum-size check before allocation.

Preconditions

  • configThe Tasmota device must be configured to use the scripter driver and call fetch_jpg() to connect to an attacker-controlled MJPEG server.
  • networkThe attacker must operate a network-accessible HTTP server that the Tasmota device can reach.
  • authNo authentication is required; the attack is triggered by the content of the HTTP response alone.

Reproduction

The researcher provides a proof-of-concept Python script (`CVE-2026-38422_poc.py`) that runs an attacker-controlled MJPEG server on a specified port [ref_id=2]. The PoC accepts a connection from Tasmota when `fetch_jpg()` is triggered, then sends an initial HTTP 200 response with a boundary string of 80 characters (triggering the Phase 1 overflow), followed by MJPEG frames with `Content-Length: 65537` (triggering the Phase 2 wraparound) [ref_id=2]. The command to run the PoC is: `python3 CVE-2026-38422_poc.py --port 8887 --mode dos` [ref_id=2].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.