PatchSiren cyber security CVE debrief
CVE-2026-38427 Tasmota CVE debrief
A heap buffer overflow vulnerability exists in the Tasmota open-source firmware, specifically within the `fetch_jpg()` function in `xdrv_10_scripter.ino`. The flaw stems from an integer overflow condition where the `Content-Length` header value from a JPEG stream is stored in a `uint16_t` variable. When a server returns a `Content-Length` exceeding 65,535 bytes, the value wraps around, causing the subsequent memory allocation to be smaller than the actual data read. This results in a heap buffer overflow when the full JPEG data is written into the undersized buffer. The vulnerability affects Tasmota versions through 15.3.0.3 and is remotely exploitable without authentication. The CVSS 3.1 score of 7.3 (HIGH) reflects network attack vector, low attack complexity, and no required privileges or user interaction, with impacts to confidentiality, integrity, and availability all rated as LOW. The weakness is classified as CWE-122 (Heap-based Buffer Overflow). The CVE was published on 2026-05-27 and last modified the same day. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.
- Vendor
- Tasmota
- Product
- Tasmota
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations deploying Tasmota-based IoT devices, particularly those using the Scripter driver for JPEG image fetching; security teams managing OT/IoT environments; firmware developers maintaining Tasmota forks or custom builds; and network administrators responsible for IoT device segmentation and access control.
Technical summary
The `fetch_jpg()` function in Tasmota's Scripter driver (`xdrv_10_scripter.ino`) retrieves JPEG images from remote streams. The function stores the HTTP `Content-Length` header value in a 16-bit unsigned integer (`uint16_t`), which has a maximum value of 65,535. When a malicious or compromised server returns a `Content-Length` header exceeding this limit, the value wraps due to integer overflow. The wrapped value is then used to allocate a heap buffer via `malloc()` or equivalent. Subsequently, the full JPEG data (potentially hundreds of kilobytes) is read into this undersized buffer, causing a heap buffer overflow. This memory corruption can lead to denial of service, information disclosure, or potentially code execution on the affected ESP8266/ESP32 device. The vulnerability is exploitable remotely without authentication, making it particularly dangerous for internet-exposed Tasmota devices or those fetching streams from compromised infrastructure.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Tasmota firmware to a version beyond 15.3.0.3 once a patched release becomes available
- Review and restrict network access to Tasmota devices running the Scripter driver, particularly those fetching JPEG streams from untrusted sources
- Monitor for anomalous network connections from Tasmota devices to unexpected external JPEG stream sources
- Apply network segmentation to isolate IoT devices running Tasmota from critical infrastructure
- Review custom scripts using the `fetch_jpg()` function for exposure to attacker-controlled JPEG stream endpoints
Evidence notes
The vulnerability description is sourced from the official CVE record and NVD entry. The affected code location is identified in the Tasmota repository at a specific commit. The CWE-122 classification is provided by NVD. The CVSS vector confirms network accessibility and lack of authentication requirements.
Official resources
The vulnerability was disclosed via MITRE and NVD on 2026-05-27. A proof-of-concept repository has been published by a security researcher, though no active exploitation has been confirmed in the wild.