| Title | Arendst Tasmota 15.3.0.3 Memory Corruption |
|---|
| Description | A buffer overflow vulnerability exists in Arendst Tasmota firmware
version x.x.x.x and prior in tasmota/tasmota_xdrv_driver/
xdrv_10_scripter.ino within the fetch_jpg() function (case 0).
The vulnerable code copies a server-controlled MJPEG boundary string
into a fixed-size 40-byte buffer (boundary[40]) using strcpy() without
any length validation:
char boundary[40];
strcpy(glob_script_mem.jpg_task.boundary, cp + 1);
An attacker controlling the MJPEG HTTP server sends a Content-Type
header with boundary string longer than 39 characters. This corrupts
adjacent heap memory including WiFiClient and HTTPClient vtable
pointers at offsets +0x2E and +0x7E, leading to remote code execution
when virtual methods are subsequently called on ESP32-based devices.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
CVE-2026-38427
PoC: https://github.com/sermikr0/CVE-2026-38427
|
|---|
| Source | ⚠️ https://github.com/sermikr0/CVE-2026-38427 |
|---|
| User | sermikro (UID 98509) |
|---|
| Submission | 05/25/2026 12:27 (16 days ago) |
|---|
| Moderation | 06/07/2026 21:58 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 366175 [arendst Tasmota up to 15.3.0.3 fetch_jpg uint16_t heap-based overflow] |
|---|
| Points | 0 |
|---|