CVE-2026-3465
Denial of Service in Tuya App JSON Data Point Handler
Publication date: 2026-03-03
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tuya | app | 24.07.11 |
| tuya | sdk | 24.07.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3465 is a denial of service (DoS) vulnerability found in the Tuya App and SDK version 24.07.11 on Android. It involves improper input validation related to the JSON Data Point Handler component, specifically the "cruise_time" argument. When malformed JSON data is sent for this argument, it causes the Tuya App to freeze and crash when accessing the Cruise Time configuration page, disrupting normal operation.'}, {'type': 'paragraph', 'content': "The attack can be performed remotely and requires user interaction, but it is considered difficult to exploit. The vendor disputes the vulnerability's validity, stating it reflects abnormal product functionality rather than a true security flaw."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause the Tuya App to freeze and crash, resulting in a denial of service condition that disrupts the normal use of the application. This impacts the availability of the app and any functionality relying on the Cruise Time configuration.
Since the attack requires remote exploitation with user interaction, it could be used by an attacker to temporarily disable the app, potentially affecting device management or monitoring.
However, the overall severity is low, and the vendor disputes the exploitability and feasibility of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is related to the manipulation of the "cruise_time" argument in the Tuya App and SDK version 24.07.11 on Android, causing a denial of service when malformed JSON data is processed.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring for abnormal application crashes or freezes when accessing the Cruise Time configuration page within the Tuya App.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by malformed JSON data sent to the device, network detection could focus on identifying unusual or malformed JSON payloads targeting the data point ID 177 (cruise_time) in traffic to the Tuya App or SDK.'}, {'type': 'paragraph', 'content': 'No specific detection commands or signatures are provided in the available resources.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'No known countermeasures or mitigations have been identified for this vulnerability.'}, {'type': 'paragraph', 'content': "The vendor disputes the vulnerability's validity and does not acknowledge it as a security risk."}, {'type': 'paragraph', 'content': 'It is suggested that affected users consider replacing the product with an alternative to avoid potential denial of service conditions.'}] [2]