Single-byte Buffer Overflow Vulnerability in Arduino-TuyaOpen IoT Devices
CVE-2026-28520

8.6HIGH

Key Information:

Vendor

Tuya

Status
Arduino-tuyaopen
Vendor
CVE Published:
15 March 2026

What is CVE-2026-28520?

The arduino-TuyaOpen library, prior to version 1.2.1, has a critical buffer overflow vulnerability in its WiFiMulti component. This flaw can be exploited when a victim’s smart hardware connects to a malicious access point controlled by an attacker. Successful exploitation could lead to the execution of arbitrary code on the affected embedded device, thereby compromising its functionality and security.

Affected Version(s)

arduino-TuyaOpen 0 < 1.2.1

References

https://src.tuya.com/announcement/32
vendor-advisory
https://github.com/tuya/arduino-TuyaOpen
product
https://www.vulncheck.com/advisories/arduino-tuyaopen-wif...
third-party-advisory

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maxime ROSSI BELLOM
.