VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026

CVE-2026-38427

CVE-2026-38427

Description

An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A uint16_t integer wraparound in Tasmota's fetch_jpg() function allows a remote attacker to trigger a heap buffer overflow, potentially leading to remote code execution.

Vulnerability

The vulnerability resides in the fetch_jpg() function within tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino of Tasmota through version 15.3.0.3. When the device fetches MJPEG frames from an attacker-controlled HTTP server, the Content-Length header value is parsed into a uint16_t variable via atoi(). Values exceeding 65535 silently wrap around (e.g., 65537 becomes 1), causing special_malloc() to allocate a drastically undersized heap buffer. The subsequent stream.readBytes() then reads only the wrapped (small) number of bytes, leaving the rest of the data in the stream buffer, leading to heap and stream state corruption [1][2].

Exploitation

An attacker must be able to serve a malicious MJPEG stream to a Tasmota device. This can be achieved by hosting an HTTP server that the device connects to (via a malicious Tasmota script, a compromised network route, or a man-in-the-middle position). The attacker sends an MJPEG frame with a Content-Length header value greater than 65535 (e.g., 70000). The atoi() call returns an integer value that, when assigned to uint16_t size, wraps (70000 becomes 4464). The device then allocates only 4464 bytes and reads exactly 4464 bytes from the stream. Over 65536 bytes of the actual frame data remain in the stream buffer, corrupting internal stream state and potentially overwriting adjacent heap memory [1].

Impact

Successful exploitation leads to a heap buffer overflow and stream state corruption. This can cause an immediate denial of service (device crash). Under more controlled conditions, the attacker may leverage the heap corruption to achieve arbitrary code execution with the privileges of the Tasmota firmware, potentially taking full control of the device [1].

Mitigation

As of the publication date, no official patched version has been released. The affected Tasmota versions are 15.3.0.3 and earlier. Users are advised to monitor the Tasmota project for a fix. In the meantime, avoiding the use of scripts that fetch MJPEG frames from untrusted servers and restricting network access to the device can reduce the attack surface [1].

References
  1. GitHub - sermikr0/CVE-2026-38427: CVE-2026-38427 — Integer Wraparound → Heap Buffer Overflow in Tasmota fetch_jpg() uint16_t (Tasmota <= 15.3.0.3)
  2. Tasmota/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino at c207cc27aea35c03be3437afe6bd9fedd307bdff · arendst/Tasmota

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.