Null Pointer Dereference Vulnerability in Tuya's Arduino-TuyaOpen Product
CVE-2026-28522

7.1HIGH

Key Information:

Vendor

Tuya

Status
Arduino-tuyaopen
Vendor
CVE Published:
15 March 2026

What is CVE-2026-28522?

The arduino-TuyaOpen product from Tuya is susceptible to a vulnerability in its WiFiUDP component that allows an attacker on the same local network to exploit a null pointer dereference. By sending a high volume of malicious UDP packets, an attacker can exhaust the device's memory, resulting in a denial-of-service condition. This poses significant risks to network availability and integrity.

Affected Version(s)

arduino-TuyaOpen 0 < 1.2.1

References

https://src.tuya.com/announcement/32
vendor-advisory
https://github.com/tuya/arduino-TuyaOpen
product
https://www.vulncheck.com/advisories/arduino-tuyaopen-wif...
third-party-advisory

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maxime ROSSI BELLOM
.