CVE-2026-38422
Deferred Deferred - Pending Action
Buffer Overflow in Tasmota Firmware

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: MITRE

Description
Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38422
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arendst tasmota to 15.3.0 (exc)
arendst tasmota to 15.3.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-38422 is a critical buffer overflow vulnerability in the Tasmota open-source firmware, specifically affecting versions 15.3.0.3 and earlier. It exists in the fetch_jpg() function within the scripter driver (xdrv_10_scripter.ino) component.

The vulnerability arises from two memory corruption issues: a strcpy() buffer overflow in a fixed 40-byte buffer that corrupts adjacent heap memory, and an integer wraparound in the Content-Length header handling that causes undersized buffer allocation and stream corruption.

An attacker can exploit this by hosting a malicious MJPEG server that sends specially crafted HTTP responses with oversized boundary strings and large Content-Length values, leading to remote code execution or denial of service on ESP32-based Tasmota devices.

This flaw allows an attacker to execute arbitrary code remotely, potentially gaining unauthorized access or control over the device.

Impact Analysis

This vulnerability can have severe impacts including full device compromise. An attacker exploiting this flaw can execute arbitrary code remotely on affected Tasmota devices.

Such compromise can lead to unauthorized access to device secrets and credentials, loss of control over the device, and potential disruption of device functionality through denial-of-service conditions.

Given that Tasmota is widely used in smart home and IoT environments, exploitation could affect home automation, security systems, or other connected devices, potentially leading to privacy breaches or operational failures.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for suspicious MJPEG HTTP requests to Tasmota devices running version 15.3.0.3 or earlier with scripter support enabled. Specifically, look for HTTP responses from MJPEG servers with abnormally large Content-Length headers or oversized boundary strings, which are indicators of the exploit attempt.

Since the attack involves a malicious MJPEG server sending crafted HTTP responses, network packet capture tools like tcpdump or Wireshark can be used to inspect traffic to and from the device.

  • Use tcpdump to capture HTTP traffic on the device's IP and port (usually port 80): tcpdump -i <interface> host <device_ip> and port 80 -w capture.pcap
  • Analyze the capture with Wireshark to identify HTTP responses with unusually large Content-Length headers or oversized boundary strings in MJPEG streams.

Additionally, checking the firmware version on the device can help detect if it is vulnerable. Devices running Tasmota version 15.3.0.3 or earlier with scripter enabled are at risk.

  • Query the device for its firmware version via its web UI or MQTT interface.
Mitigation Strategies

The immediate and most effective mitigation is to update Tasmota firmware to version 15.3.0.4 or later, where this vulnerability has been patched.

If updating immediately is not possible, consider disabling the scripter feature or avoiding the use of the fetch_jpg() function to prevent exposure to the vulnerability.

Additionally, restrict network access to the device by limiting connections to trusted networks and blocking access to untrusted or external MJPEG servers.

  • Perform a firmware update to Tasmota version 15.3.0.4 or later.
  • Disable or avoid using the scripter feature and fetch_jpg() function.
  • Implement network controls to restrict device communication to trusted sources only.
Compliance Impact

CVE-2026-38422 allows remote attackers to execute arbitrary code on affected Tasmota devices, potentially leading to unauthorized access or control of the device.

Such unauthorized access could result in exposure or compromise of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and health information.

Because the vulnerability enables full device compromise, including access to secrets and credentials, organizations using affected devices in regulated environments could face risks of non-compliance due to inadequate security controls.

Mitigation by updating to patched versions is critical to maintain compliance and reduce the risk of data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart