← Back to CVEs
CVE-2026-0918
HIGH7.5
Description
The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
CVE Details
CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published1/27/2026
Last Modified3/16/2026
Sourcenvd
Honeypot Sightings0
Affected Products
tp-link:tapo_c220tp-link:tapo_c220_firmwaretp-link:tapo_c520wstp-link:tapo_c520ws_firmware
Weaknesses (CWE)
CWE-476
References
https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned(f23511db-6c3e-4e32-a477-6aa17d310630)
https://www.tp-link.com/en/support/download/tapo-c220/v1/(f23511db-6c3e-4e32-a477-6aa17d310630)
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/(f23511db-6c3e-4e32-a477-6aa17d310630)
https://www.tp-link.com/us/support/download/tapo-c100/v5/(f23511db-6c3e-4e32-a477-6aa17d310630)
https://www.tp-link.com/us/support/download/tapo-c220/v1.60/(f23511db-6c3e-4e32-a477-6aa17d310630)
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/(f23511db-6c3e-4e32-a477-6aa17d310630)
https://www.tp-link.com/us/support/faq/4923/(f23511db-6c3e-4e32-a477-6aa17d310630)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.