CVE-2026-38427 Overview
CVE-2026-38427 is a heap buffer overflow vulnerability in the fetch_jpg() function within xdrv_10_scripter.ino in Tasmota through version 15.3.0.3. The flaw stems from an integer truncation issue where the HTTP Content-Length value of an incoming JPEG stream is stored in a uint16_t variable. Values exceeding 65535 wrap around, causing Tasmota to allocate a buffer smaller than the data subsequently read into it. A remote attacker can exploit this condition over the network without authentication to corrupt heap memory on the affected device.
Critical Impact
A remote, unauthenticated attacker can trigger a heap buffer overflow on Tasmota-powered IoT devices, leading to memory corruption, denial of service, or potential code execution.
Affected Products
- Tasmota firmware versions through 15.3.0.3
- The xdrv_10_scripter driver (fetch_jpg() function)
- ESP-based IoT devices running vulnerable Tasmota builds with the scripter driver enabled
Discovery Timeline
- 2026-05-27 - CVE-2026-38427 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-38427
Vulnerability Analysis
The vulnerability resides in the fetch_jpg() function inside xdrv_10_scripter.ino, a script driver shipped with Tasmota. The function retrieves a JPEG image from a remote HTTP source for use within Tasmota scripts. During this operation, the server-supplied Content-Length header is parsed and used to allocate a heap buffer sized to hold the incoming JPEG payload.
The root issue is a numeric truncation defect classified as a heap-based buffer overflow [CWE-122]. The size value is stored in a 16-bit unsigned integer, which can only represent values from 0 to 65535. Any Content-Length greater than 65535 wraps around to a much smaller value, while the actual HTTP body read into the buffer reflects the true, larger size. The driver then writes past the end of the allocated heap region.
Root Cause
The defect is an integer truncation in size handling. Storing Content-Length in a uint16_t does not match the range of legitimate or attacker-controlled HTTP payload sizes. The allocation and the read are decoupled in width, so allocator size and copy length diverge whenever the header exceeds 64 KiB.
Attack Vector
An attacker controls a server that the Tasmota device fetches a JPEG from, either by hosting a malicious endpoint referenced in a script or by intercepting and rewriting an outbound JPEG fetch. The server responds with a Content-Length greater than 65535 and a body that fills the smaller wrapped allocation and overflows adjacent heap structures. On ESP-class hardware, heap corruption typically results in device crash, watchdog reset, or, depending on heap layout, manipulation of subsequent allocations.
The vulnerability is described in prose only. Refer to the Tasmota scripter source on GitHub and the CVE-2026-38427 research repository for implementation details.
Detection Methods for CVE-2026-38427
Indicators of Compromise
- Tasmota devices experiencing repeated unexpected reboots, watchdog resets, or heap allocation errors in serial logs after script-driven JPEG fetches.
- Outbound HTTP requests from Tasmota devices to untrusted hosts returning JPEG responses with Content-Length headers larger than 65535 bytes.
- Script rules referencing fetch_jpg with attacker-influenced URLs.
Detection Strategies
- Inspect Tasmota script configurations for use of the fetch_jpg command and review the destination URLs for untrusted origins.
- Monitor network traffic from IoT VLANs for HTTP responses to Tasmota clients containing oversized JPEG payloads or anomalous Content-Length values.
- Correlate device crash telemetry with preceding outbound HTTP image fetches to identify exploitation attempts.
Monitoring Recommendations
- Centralize Tasmota MQTT and syslog output and alert on WARNING or ERROR messages indicating heap corruption, allocation failure, or unexpected restarts.
- Egress filter Tasmota devices so they can only reach a known allowlist of HTTP endpoints used by approved scripts.
- Track firmware versions across the fleet to identify devices running Tasmota 15.3.0.3 or earlier with the scripter feature enabled.
How to Mitigate CVE-2026-38427
Immediate Actions Required
- Disable the scripter driver or remove any fetch_jpg usage from Tasmota scripts until a patched firmware build is deployed.
- Restrict Tasmota devices to a segmented IoT network with no inbound exposure and tightly controlled outbound HTTP access.
- Inventory all Tasmota devices and identify those running 15.3.0.3 or earlier for prioritized remediation.
Patch Information
At the time of NVD publication on 2026-05-27, no vendor advisory or fixed release is referenced in the CVE record. Track the upstream Tasmota repository for a build later than 15.3.0.3 that widens the Content-Length storage type and validates the value against the allocated buffer size before reading the HTTP body.
Workarounds
- Point fetch_jpg URLs only at trusted, internally controlled HTTP servers that cannot be redirected or tampered with.
- Place a reverse proxy or firewall in front of Tasmota egress to strip or cap responses whose Content-Length exceeds a safe threshold such as 32 KiB.
- Remove or comment out script lines invoking JPEG fetches where the feature is not required.
# Configuration example: disable scripter rules invoking fetch_jpg
# From the Tasmota console, clear active script content:
Rule1 0
Script 0
# Or, on the device build, compile firmware without the scripter driver
# by editing user_config_override.h before flashing:
# #undef USE_SCRIPT
# #undef USE_SCRIPT_FATFS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
