| Title | Arendst Tasmota 15.3.0.3 Memory Corruption |
|---|
| Description | A buffer overflow vulnerability exists in Arendst Tasmota firmware
version x.x.x.x and prior in tasmota/tasmota_xdrv_driver/
xdrv_10_scripter.ino within the fetch_jpg() function.
The uint16_t variable 'size' receives Content-Length value via atoi()
without range validation. Values exceeding 65535 silently wrap around
due to integer truncation:
uint16_t size = atoi(cp + 1); // 65537 becomes 1
uint8_t *buff = special_malloc(size); // malloc(1)
stream.readBytes(buff, size); // reads only 1 byte
A remote attacker controlling the MJPEG server causes undersized heap
allocation followed by stream state corruption, leading to heap overflow,
crash, or potential remote code execution on ESP32-based devices.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
CVE-2026-38426
PoC: https://github.com/sermikr0/CVE-2026-38426
|
|---|
| Source | ⚠️ https://github.com/sermikr0/CVE-2026-38426 |
|---|
| User | sermikro (UID 98509) |
|---|
| Submission | 05/25/2026 12:26 (17 days ago) |
|---|
| Moderation | 06/07/2026 21:58 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 366174 [arendst Tasmota up to 15.3.0.3 xdrv_10_scripter.ino fetch_jpg buffer overflow] |
|---|
| Points | 0 |
|---|