CVE-2026-28519

HIGH 8.8

arduino-TuyaOpen DnsServer Heap-Based Buffer Overflow Remote Code Execution

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing execution of arbitrary code on affected embedded devices.

CWE	CWE-122
Vendor	tuya
Product	arduino-tuyaopen
Published	Mar 15, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for tuya arduino-tuyaopen

Be the first to know when new high vulnerabilities affecting tuya arduino-tuyaopen are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Tuya / arduino-TuyaOpen

0 < 1.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

src.tuya.com: https://src.tuya.com/announcement/32 github.com: https://github.com/tuya/arduino-TuyaOpen vulncheck.com: https://www.vulncheck.com/advisories/arduino-tuyaopen-dnsserver-heap-based-buffer-overflow-remote-code-execution

Credits

Maxime ROSSI BELLOM