CVE-2026-38426: Tasmota Buffer Overflow RCE Vulnerability

CVE-2026-38426 Overview

CVE-2026-38426 is a buffer overflow vulnerability [CWE-120] in arendst Tasmota firmware version 15.3.0.3 and earlier. The flaw resides in the xdrv_10_scripter.ino driver, specifically within the fetch_jpg() function. An unbounded strcpy() call writes attacker-controlled data into the fixed 40-byte buffer jpg_task.boundary[40]. A remote attacker can exploit this condition over the network without authentication or user interaction to execute arbitrary code on the affected device. Tasmota runs on ESP8266 and ESP32-based Internet of Things (IoT) devices, expanding the impact surface across home automation and industrial control deployments.

Critical Impact

Remote, unauthenticated attackers can corrupt memory in the Tasmota scripter component and execute arbitrary code on affected IoT devices.

Affected Products

• arendst Tasmota firmware version 15.3.0.3
• All Tasmota releases prior to 15.3.0.3
• ESP8266 and ESP32 devices running vulnerable Tasmota builds with the scripter driver enabled

Discovery Timeline

• 2026-05-27 - CVE-2026-38426 published to the National Vulnerability Database (NVD)
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-38426

Vulnerability Analysis

The vulnerability stems from unsafe string handling in the Tasmota scripter driver. The fetch_jpg() function in xdrv_10_scripter.ino copies an HTTP multipart boundary string into the jpg_task.boundary member using strcpy(). The destination buffer is statically allocated at 40 bytes. The source data originates from network-supplied input parsed during JPEG streaming operations. Because strcpy() performs no length validation, input exceeding 40 bytes overruns the buffer and corrupts adjacent memory.

On embedded targets such as ESP8266 and ESP32, this stack or struct corruption can overwrite saved return addresses, function pointers, or task control structures. Attackers can leverage the overflow to redirect execution flow and achieve arbitrary code execution on the device.

Root Cause

The root cause is the use of strcpy() without bounds checking on a network-derived value. Tasmota allocates boundary[40] as a fixed-size array inside the jpg_task structure but never enforces a maximum copy length. Safer alternatives such as strncpy(), strlcpy(), or explicit length validation against sizeof(jpg_task.boundary) would prevent the overflow.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker reachable on the same network as the Tasmota device can send a crafted HTTP request containing an oversized JPEG multipart boundary. When the scripter driver invokes fetch_jpg(), the overlong boundary string overflows the buffer. Devices exposed to the internet, including those behind weak NAT or port-forwarded for remote control, are reachable from arbitrary sources. Technical details and proof-of-concept material are referenced in the GitHub CVE-2026-38426 Repository and the affected source in the Tasmota Scripter Driver.

The vulnerability manifests in the boundary handling logic of fetch_jpg(). No verified exploitation code is reproduced here. Refer to the linked repositories for technical details.

Detection Methods for CVE-2026-38426

Indicators of Compromise

• HTTP requests to Tasmota web endpoints containing multipart boundary strings longer than 40 bytes
• Unexpected device reboots, watchdog resets, or crash dumps from Tasmota devices running the scripter driver
• Outbound connections from Tasmota devices to unknown hosts following inbound JPEG fetch requests
• Anomalous modifications to Tasmota rules, scripts, or MQTT topics following network access events

Detection Strategies

• Inventory all Tasmota devices and confirm running firmware version against 15.3.0.3 to identify vulnerable assets
• Monitor HTTP traffic to and from IoT subnets for malformed multipart requests targeting Tasmota endpoints
• Inspect device serial or syslog output for stack corruption indicators, exception handlers, or Guru Meditation errors on ESP32/ESP8266
• Correlate network flow telemetry for unexpected egress from IoT VLANs to internet destinations

Monitoring Recommendations

• Deploy network segmentation controls and log all traffic crossing IoT VLAN boundaries
• Forward IoT device logs to a centralized logging or Security Information and Event Management (SIEM) platform for correlation
• Alert on repeated HTTP requests to /jpg or scripter-related URIs from non-administrative sources
• Track firmware version drift across the Tasmota fleet to detect unauthorized downgrades

How to Mitigate CVE-2026-38426

Immediate Actions Required

• Upgrade all Tasmota devices to a firmware release that supersedes version 15.3.0.3 and contains the boundary handling fix
• Restrict network access to Tasmota web and API endpoints using firewall rules or VLAN isolation
• Disable the scripter driver on devices that do not require it by rebuilding firmware without USE_SCRIPT
• Remove any internet-facing exposure of Tasmota devices and require VPN access for remote management

Patch Information

Review commits in the Tasmota repository for fixes to fetch_jpg() boundary handling. Apply the latest stable Tasmota release and verify that strcpy() calls operating on network-supplied data have been replaced with bounded copy routines.

Workarounds

• Place Tasmota devices on an isolated IoT network with no inbound connectivity from untrusted segments
• Disable JPEG fetch features and the scripter driver if not required for device operation
• Enforce strong authentication on the Tasmota web UI and MQTT broker to limit reachable attack paths
• Apply outbound egress filtering to prevent compromised devices from contacting attacker-controlled infrastructure

# Configuration example - restrict Tasmota access via iptables
iptables -A FORWARD -s 192.168.50.0/24 -d <tasmota_ip> -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d <tasmota_ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -s <tasmota_ip> -o eth0 -j DROP