| Title | Arendst Tasmota 15.3.0.3 Memory Corruption |
|---|
| Description | A buffer overflow vulnerability exists in Arendst Tasmota firmware
version x.x.x.x and prior in the file tasmota/tasmota_xdrv_driver/
xdrv_10_scripter.ino within the fetch_jpg() function (case 0).
The vulnerable code copies a server-controlled MJPEG boundary string
into a fixed-size 40-byte stack buffer (boundary[40]) using strcpy()
without any length validation:
strcpy(glob_script_mem.jpg_task.boundary, cp + 1);
An attacker who controls the MJPEG HTTP server that the Tasmota device
connects to via fetchjp() script command can send a Content-Type header
with a boundary string longer than 39 characters. This overflows the
boundary[40] buffer and corrupts adjacent heap memory including
WiFiClient vtable pointers, potentially leading to remote code execution
on ESP32-based devices.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
CVE-2026-38422
PoC: https://github.com/sermikr0/CVE-2026-38422 |
|---|
| Source | ⚠️ https://github.com/sermikr0/CVE-2026-38422 |
|---|
| User | sermikro (UID 98509) |
|---|
| Submission | 05/25/2026 12:25 (17 days ago) |
|---|
| Moderation | 06/07/2026 21:58 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 366173 [arendst Tasmota up to 15.3.0.3 xdrv_10_scripter.ino fetch_jpg buffer overflow] |
|---|
| Points | 0 |
|---|