Out-of-Bounds Memory Read Vulnerability in Arduino-TuyaOpen by Tuya
CVE-2026-28521

7HIGH

Key Information:

Vendor

Tuya

Status
Arduino-tuyaopen
Vendor
CVE Published:
15 March 2026

What is CVE-2026-28521?

The arduino-TuyaOpen library, prior to version 1.2.1, presents an out-of-bounds memory read vulnerability within the TuyaIoT component. This flaw enables an attacker, who gains control over the Tuya cloud service, to send malicious data to victim devices, potentially leading to unauthorized access to sensitive information or a denial-of-service scenario.

Affected Version(s)

arduino-TuyaOpen 0 < 1.2.1

References

https://src.tuya.com/announcement/32
vendor-advisory
https://github.com/tuya/arduino-TuyaOpen
product
https://www.vulncheck.com/advisories/arduino-tuyaopen-tuy...
third-party-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maxime ROSSI BELLOM
.