CVE-2026-0918

7.5 HIGH
Published: January 27, 2026 Modified: March 16, 2026
View on NVD

Description

The Tapo C220 v1 and C520WS v2 camerasโ€™ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash.ย An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned
Source: f23511db-6c3e-4e32-a477-6aa17d310630
https://www.tp-link.com/en/support/download/tapo-c220/v1/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/us/support/download/tapo-c100/v5/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Product
https://www.tp-link.com/us/support/faq/4923/
Source: f23511db-6c3e-4e32-a477-6aa17d310630
Vendor Advisory

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.0%
10th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-476

Affected Vendors

tp-link

Related CVEs

CVE-2026-4558 8.8
CVE-2026-4557 4.3
CVE-2026-4555 8.8
CVE-2026-4554 6.3
CVE-2026-33319 5.9