Heap-Based Buffer Overflow in TuyaOpen Arduino Library
CVE-2026-28519

8.7HIGH

Key Information:

Vendor

Tuya

Status
Arduino-tuyaopen
Vendor
CVE Published:
15 March 2026

What is CVE-2026-28519?

The arduino-TuyaOpen library prior to version 1.2.1 is vulnerable to a heap-based buffer overflow in the DnsServer component. This vulnerability allows attackers on the same local area network to exploit a vulnerable LAN DNS server by sending malicious DNS responses. Such exploitation can lead to arbitrary code execution on the affected embedded devices, posing significant security risks to users.

Affected Version(s)

arduino-TuyaOpen 0 < 1.2.1

References

https://src.tuya.com/announcement/32
vendor-advisory
https://github.com/tuya/arduino-TuyaOpen
product
https://www.vulncheck.com/advisories/arduino-tuyaopen-dns...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maxime ROSSI BELLOM
.