CVE-2026-0918 | THREATINT

Description

The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

PUBLISHED Reserved 2026-01-13 | Published 2026-01-27 | Updated 2026-02-09 | Assigner TPLink

HIGH: 7.1CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-476 NULL Pointer Dereference

Product status

Default status

unaffected

Any version before 1.4.2 Build 251112

affected

Default status

unaffected

Any version before 1.2.3 Build 251114

affected

Default status

unaffected

Any version before 1.4.3 Build 251128

affected

Credits

Diogo Almeida @NeWbie finder

Azim Javed & Ayushman Agrawal Hingorani from CRAC Learning finder

References

www.tp-link.com/us/support/download/tapo-c220/v1.60/ patch

www.tp-link.com/en/support/download/tapo-c220/v1/ patch

www.tp-link.com/us/support/download/tapo-c520ws/v2/ patch

www.tp-link.com/en/support/download/tapo-c520ws/v2/ patch

www.tp-link.com/us/support/faq/4923/ vendor-advisory

www.tp-link.com/us/support/download/tapo-c100/v5/ patch

cve.org (CVE-2026-0918)

nvd.nist.gov (CVE-2026-0918)

Download JSON

help @ threatint.eu