CVE-2026-28521
Awaiting Analysis Awaiting Analysis - Queue

Out-of-Bounds Read in TuyaIoT Causes Data Leak, DoS

Vulnerability report for CVE-2026-28521, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: VulnCheck

Description

arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-07-06
AI Q&A
2026-03-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tuya arduino-tuyaopen to 1.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-28521 is a high-severity vulnerability in arduino-TuyaOpen versions before 1.2.1. It is an out-of-bounds memory read issue in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can send malicious DP event data to affected devices. This causes the device to access memory outside its intended boundaries, which can lead to unintended behavior.

  • The vulnerability is classified as CWE-125 (out-of-bounds memory read).
  • It does not require user interaction, privileges, or authentication.
  • The attack vector is local with high complexity.
  • The issue was fixed in version 1.2.1 of arduino-TuyaOpen.
Impact Analysis

This vulnerability can impact you by allowing an attacker who controls the Tuya cloud service to cause out-of-bounds memory access on your device. This can lead to two main consequences:

  • Information disclosure: Sensitive data may be exposed due to unauthorized memory reads.
  • Denial-of-service: The device may crash or become unresponsive, disrupting its normal operation.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update arduino-TuyaOpen to version 1.2.1 or later, where the issue has been fixed.

Since the vulnerability arises from malicious DP event data sent via the Tuya cloud service, controlling or restricting access to the Tuya cloud service and monitoring for suspicious activity may also help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart