Denial of Service Vulnerability in Tuya App and SDK for Android
CVE-2026-3465

2.3LOW

Key Information:

Vendor

Tuya

Status
App
Sdk
Vendor
CVE Published:
3 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-3465?

A denial of service vulnerability exists in the Tuya App and SDK for Android, specifically in the JSON Data Point Handler component. This issue arises when the argument cruise_time is manipulated, potentially leading to application disruptions. While remote exploitation is theoretically possible, the attack complexity is high, and there are ongoing debates about the authenticity and exploitability of the vulnerability. The vendor has expressed skepticism regarding the severity of the findings, asserting that the reported issue does not constitute a security vulnerability, but rather reflects unusual product behavior.

Affected Version(s)

App 24.07.11

SDK 24.07.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-3465 - Proof of Concept

References

https://vuldb.com/?id.348536
vdb-entrytechnical-description
https://vuldb.com/?ctiid.348536
signaturepermissions-required
https://vuldb.com/?submit.744108
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

deoplljj (VulDB User)
.