CVE-2026-0918
Essential information
- Published
- 27/01/2026 18:15
- Modified
- 27/01/2026 18:15
- Author
- —
- Creator
- —
- CVSS
- 7.1 HIGH (v3) 7.1 HIGH (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- ADJACENT
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- NONE
- User interaction
- NONE
- Confidentiality (V)
- NONE
- Confidentiality (S)
- NONE
- Integrity (V)
- NONE
- Integrity (S)
- NONE
- Availability (V)
- HIGH
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- f23511db-6c3e-4e32-a477-6aa17d310630
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| tapo / tapo c220 | cpe:2.3:a:tapo:tapo_c220:*:*:*:*:*:*:*:* |
| tapo / tapo c520ws v2 | cpe:2.3:a:tapo:tapo_c520ws_v2:*:*:*:*:*:*:*:* |