CVE-2026-38426
Buffer Overflow in Tasmota IoT Firmware
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arendst | tasmota | to 15.3.0.3 (exc) |
| arendst | tasmota | to 15.3.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38426 is a critical stack buffer overflow vulnerability in the Tasmota firmware versions 15.3.0.3 and earlier. It occurs in the fetch_jpg() function within the xdrv_10_scripter.ino file, where a fixed 40-byte buffer is used to store an MJPEG boundary string from an HTTP Content-Type header. The vulnerability arises because the boundary string is copied into this buffer using strcpy() without checking its length.
An attacker can exploit this by sending a boundary string longer than 39 characters from a malicious HTTP server, causing the buffer to overflow and corrupt adjacent heap memory, including important pointers. This corruption can lead to remote code execution on the ESP32 device when certain virtual methods are called.
How can this vulnerability impact me? :
This vulnerability allows a remote attacker to execute arbitrary code on affected devices without any authentication. This means an attacker can gain unauthorized control over the device, potentially leading to data theft, manipulation of device functions, or causing denial-of-service conditions.
The impact affects confidentiality, integrity, and availability of the device and its connected systems, making it a high-risk security issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for suspicious HTTP Content-Type headers containing unusually long MJPEG boundary strings exceeding 39 characters, which may trigger the buffer overflow.
Additionally, running the available proof-of-concept exploit script from Resource 1 can help verify if a device is vulnerable by demonstrating a crash or information leakage.
Since the vulnerability is in the fetch_jpg() function of the xdrv_10_scripter.ino file, checking the firmware version of Tasmota devices is crucial; versions 15.3.0.3 and earlier are vulnerable.
- Use network packet capture tools (e.g., Wireshark) to filter HTTP traffic and inspect Content-Type headers for boundary strings longer than 39 characters.
- Check the Tasmota firmware version on your devices with commands or interfaces provided by Tasmota to ensure they are updated beyond version 15.3.0.3.
- Run the proof-of-concept exploit script from https://github.com/sermikr0/CVE-2026-38426 to test device susceptibility.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade all affected Tasmota devices to version 15.3.0.4 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, restrict network access to Tasmota devices to trusted sources only, minimizing exposure to potentially malicious HTTP servers.
Disable or limit the use of the script feature (xdrv_10_scripter) if it is not required, as this component is directly involved in the vulnerability.
- Update Tasmota firmware to version 15.3.0.4 or later.
- Implement network segmentation or firewall rules to limit access to Tasmota devices.
- Disable the script interpreter feature if not needed.