CVE-2026-38427
Deferred Deferred - Pending Action
Heap Buffer Overflow in Tasmota Firmware

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: MITRE

Description
An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38427
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tasmota xdrv_10_scripter 15.3.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-38427 is a critical vulnerability in the fetch_jpg() function of the xdrv_10_scripter component in Tasmota firmware versions 15.3.0.3 and earlier.

The issue arises because the Content-Length header from a JPEG stream is stored in a 16-bit unsigned integer (uint16_t). If the Content-Length value exceeds 65535, it wraps around due to integer overflow, causing the device to allocate a smaller buffer than needed.

This buffer undersizing leads to a heap buffer overflow when reading the JPEG data, which can corrupt memory and the device's HTTP/WiFi state.

Impact Analysis

This vulnerability can cause denial-of-service (DoS) conditions by crashing the device due to corrupted memory and network state.

Additionally, it may allow remote code execution (RCE), especially on ESP32 devices, enabling attackers to run arbitrary code without authentication.

The attack can be triggered remotely via a malicious MJPEG stream or a man-in-the-middle (MITM) attack, making it a serious risk for devices running vulnerable Tasmota versions.

Detection Guidance

This vulnerability can be detected by monitoring for abnormal MJPEG stream Content-Length headers exceeding 65535 bytes, which cause integer wraparound and heap buffer overflow in affected Tasmota devices.

Detection can involve capturing network traffic to identify MJPEG streams with unusually large Content-Length values or signs of corrupted HTTP/WiFi state on the device, such as unexpected crashes or denial-of-service symptoms.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP MJPEG streams and inspect Content-Length headers.
  • Example tcpdump command to capture HTTP traffic on port 80: tcpdump -i <interface> tcp port 80 -w capture.pcap
  • Analyze the capture with Wireshark, filter for HTTP MJPEG streams, and check for Content-Length values above 65535.
  • Monitor device logs or behavior for crashes or resets that may indicate exploitation attempts.
Mitigation Strategies

The immediate mitigation step is to upgrade Tasmota firmware to version 15.3.0.4 or later, where the vulnerability in fetch_jpg() has been patched.

Until the upgrade can be applied, consider restricting access to Tasmota devices from untrusted networks to prevent attackers from sending malicious MJPEG streams.

Additionally, avoid using or disable the script feature that processes MJPEG streams if possible, to reduce the attack surface.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart