CVE-2026-3465
Received Received - Intake
Denial of Service in Tuya App JSON Data Point Handler

Publication date: 2026-03-03

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Tuya App and SDK 24.07.11 on Android. Affected by this vulnerability is an unknown functionality of the component JSON Data Point Handler. This manipulation of the argument cruise_time causes denial of service. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. There is ongoing doubt regarding the real existence of this vulnerability. The vendor disagrees with the conclusion of the finding: "The described vulnerability fails to prove its feasibility or exploitability by attackers. The issue essentially does not constitute a security vulnerability, aligning more closely with abnormal product functionality." These considerations are properly reflected within the CVSS vector.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3465
EUVD
EUVD-2026-9297
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tuya app 24.07.11
tuya sdk 24.07.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3465 is a denial of service (DoS) vulnerability found in the Tuya App and SDK version 24.07.11 on Android. It involves improper input validation related to the JSON Data Point Handler component, specifically the "cruise_time" argument. When malformed JSON data is sent for this argument, it causes the Tuya App to freeze and crash when accessing the Cruise Time configuration page, disrupting normal operation.'}, {'type': 'paragraph', 'content': "The attack can be performed remotely and requires user interaction, but it is considered difficult to exploit. The vendor disputes the vulnerability's validity, stating it reflects abnormal product functionality rather than a true security flaw."}] [1, 2]

Impact Analysis

This vulnerability can cause the Tuya App to freeze and crash, resulting in a denial of service condition that disrupts the normal use of the application. This impacts the availability of the app and any functionality relying on the Cruise Time configuration.

Since the attack requires remote exploitation with user interaction, it could be used by an attacker to temporarily disable the app, potentially affecting device management or monitoring.

However, the overall severity is low, and the vendor disputes the exploitability and feasibility of this vulnerability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is related to the manipulation of the "cruise_time" argument in the Tuya App and SDK version 24.07.11 on Android, causing a denial of service when malformed JSON data is processed.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring for abnormal application crashes or freezes when accessing the Cruise Time configuration page within the Tuya App.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by malformed JSON data sent to the device, network detection could focus on identifying unusual or malformed JSON payloads targeting the data point ID 177 (cruise_time) in traffic to the Tuya App or SDK.'}, {'type': 'paragraph', 'content': 'No specific detection commands or signatures are provided in the available resources.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'No known countermeasures or mitigations have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': "The vendor disputes the vulnerability's validity and does not acknowledge it as a security risk."}, {'type': 'paragraph', 'content': 'It is suggested that affected users consider replacing the product with an alternative to avoid potential denial of service conditions.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3465. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart