CVE-2026-34118 (GCVE-0-2026-34118)
Vulnerability from cvelistv5
Published
2026-04-02 17:19
Modified
2026-04-02 17:48
Severity ?
7.1 (High) - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE
  • CWE-122 - Heap-based buffer overflow
Summary
A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to insufficient boundary validation when handling externally supplied HTTP input.  An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries.  Successful exploitation causes a Denial-of-Service (DoS) condition, causing the device’s process to crash or become unresponsive.
References
Impacted products
Vendor Product Version
TP-Link Systems Inc. Tapo C520WS v2.6 Version: 0   < 1.2.4 Build 260326 Rel.24666n
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34118",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T17:48:35.729427Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T17:48:43.255Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "HTTP POST"
          ],
          "product": "Tapo C520WS v2.6",
          "vendor": "TP-Link Systems Inc.",
          "versions": [
            {
              "lessThan": "1.2.4 Build 260326 Rel.24666n",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6\u0026nbsp;in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to\u0026nbsp;insufficient boundary validation when handling externally supplied HTTP input.\u0026nbsp;\u0026nbsp;\u003cdiv\u003e\u003cp\u003eAn attacker\non the same network segment could trigger heap memory corruption conditions by\nsending crafted payloads that cause write operations beyond allocated buffer\nboundaries.\u0026nbsp; Successful exploitation\ncauses a Denial-of-Service (DoS) condition, causing the device\u2019s process to\ncrash or become unresponsive.\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6\u00a0in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to\u00a0insufficient boundary validation when handling externally supplied HTTP input.\u00a0\u00a0An attacker\non the same network segment could trigger heap memory corruption conditions by\nsending crafted payloads that cause write operations beyond allocated buffer\nboundaries.\u00a0 Successful exploitation\ncauses a Denial-of-Service (DoS) condition, causing the device\u2019s process to\ncrash or become unresponsive."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based buffer overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T17:19:43.453Z",
        "orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
        "shortName": "TPLink"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.tp-link.com/us/support/faq/5047/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Heap-based Buffer Overflow Vulnerability Leading to Denial-of-Service in TP-Link Tapo C520WS",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
    "assignerShortName": "TPLink",
    "cveId": "CVE-2026-34118",
    "datePublished": "2026-04-02T17:19:43.453Z",
    "dateReserved": "2026-03-25T18:54:03.343Z",
    "dateUpdated": "2026-04-02T17:48:43.255Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34118\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T17:48:35.729427Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T17:48:38.574Z\"}}], \"cna\": {\"title\": \"Heap-based Buffer Overflow Vulnerability Leading to Denial-of-Service in TP-Link Tapo C520WS\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-100\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-100 Overflow Buffers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"ADJACENT\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"TP-Link Systems Inc.\", \"modules\": [\"HTTP POST\"], \"product\": \"Tapo C520WS v2.6\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.2.4 Build 260326 Rel.24666n\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.tp-link.com/us/support/faq/5047/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6\\u00a0in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to\\u00a0insufficient boundary validation when handling externally supplied HTTP input.\\u00a0\\u00a0An attacker\\non the same network segment could trigger heap memory corruption conditions by\\nsending crafted payloads that cause write operations beyond allocated buffer\\nboundaries.\\u00a0 Successful exploitation\\ncauses a Denial-of-Service (DoS) condition, causing the device\\u2019s process to\\ncrash or become unresponsive.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"A heap-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6\u0026nbsp;in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation, due to\u0026nbsp;insufficient boundary validation when handling externally supplied HTTP input.\u0026nbsp;\u0026nbsp;\u003cdiv\u003e\u003cp\u003eAn attacker\\non the same network segment could trigger heap memory corruption conditions by\\nsending crafted payloads that cause write operations beyond allocated buffer\\nboundaries.\u0026nbsp; Successful exploitation\\ncauses a Denial-of-Service (DoS) condition, causing the device\\u2019s process to\\ncrash or become unresponsive.\u003c/p\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122 Heap-based buffer overflow\"}]}], \"providerMetadata\": {\"orgId\": \"f23511db-6c3e-4e32-a477-6aa17d310630\", \"shortName\": \"TPLink\", \"dateUpdated\": \"2026-04-02T17:19:43.453Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34118\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T17:48:43.255Z\", \"dateReserved\": \"2026-03-25T18:54:03.343Z\", \"assignerOrgId\": \"f23511db-6c3e-4e32-a477-6aa17d310630\", \"datePublished\": \"2026-04-02T17:19:43.453Z\", \"assignerShortName\": \"TPLink\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.