CVE-2026-6239 Overview
CVE-2026-6239 is a stack-based buffer overflow [CWE-121] in the TP-Link Tapo C520WS v2 IP camera. The vulnerability resides in the Open Network Video Interface Forum (ONVIF) CreateUsers service. The device fails to validate the number of XML user nodes during request processing. An authenticated attacker on an adjacent network can send a crafted ONVIF request containing an excessive number of user entries. The malformed request triggers memory corruption on the device stack. Successful exploitation terminates the ONVIF management service, producing a denial-of-service (DoS) condition that disrupts device configuration and management.
Critical Impact
Authenticated adjacent-network attackers can crash the ONVIF management service on Tapo C520WS v2 cameras, disabling remote configuration and management of the device.
Affected Products
- TP-Link Tapo C520WS v2 (IP camera)
- ONVIF CreateUsers service implementation on affected firmware
- Deployments exposing the camera ONVIF interface on the local network
Discovery Timeline
- 2026-06-06 - CVE-2026-6239 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-6239
Vulnerability Analysis
The flaw is a stack-based buffer overflow in the ONVIF CreateUsers handler on the Tapo C520WS v2. ONVIF is a standard for IP-based physical security products and uses SOAP-style XML requests over HTTP. The CreateUsers operation accepts a list of user records inside the SOAP request body. Each User element is parsed and copied into a fixed-size buffer on the stack. The service fails to validate the number of User nodes supplied before processing. Supplying many user nodes causes the parser to write past the bounds of the stack buffer, corrupting adjacent frame data including the saved return address. The result is an immediate crash of the ONVIF management service and loss of remote management capability.
Root Cause
The root cause is missing input length validation in the ONVIF request parser [CWE-121]. The handler iterates over child XML nodes representing users and copies each entry into a stack-allocated structure. No bounds check enforces the maximum number of nodes against the buffer capacity. Authentication is required, so the attacker must already hold valid ONVIF credentials on the device.
Attack Vector
The attack vector is Adjacent Network. An attacker on the same logical network segment as the camera authenticates to the ONVIF endpoint. The attacker then issues a SOAP CreateUsers request containing a large array of <User> child elements. The oversized node list overflows the stack buffer and crashes the ONVIF service. The vulnerability does not yield confidentiality or integrity impact according to the published CVSS vector. The realized impact is availability loss against device management.
No verified proof-of-concept code is published. See the TP-Link Tapo C520WS Firmware Release Notes for firmware change details.
Detection Methods for CVE-2026-6239
Indicators of Compromise
- Unexpected restart or unavailability of the ONVIF management service on Tapo C520WS v2 cameras
- Loss of ONVIF discovery or configuration responses from the camera following authenticated client traffic
- SOAP requests targeting the CreateUsers operation containing an unusually large number of <User> XML elements
Detection Strategies
- Inspect HTTP/SOAP traffic to camera ONVIF endpoints for CreateUsers requests with abnormally large bodies or repeated <User> nodes
- Correlate ONVIF authentication events with subsequent camera offline or service-restart events to identify exploitation attempts
- Alert on repeated authenticated ONVIF sessions from a single host followed by camera disconnects on the management VLAN
Monitoring Recommendations
- Monitor camera availability through ICMP, ONVIF probe, or NVR heartbeat checks and alert on repeated drops
- Log all ONVIF authentication attempts and rotate credentials that are shared across deployments
- Capture network flow data on the IoT or camera VLAN to retain forensic evidence of malformed SOAP requests
How to Mitigate CVE-2026-6239
Immediate Actions Required
- Apply the latest firmware for the Tapo C520WS v2 published on the TP-Link Tapo C520WS Firmware Release Notes page
- Restrict ONVIF access on the camera to a dedicated management VLAN reachable only by the NVR and authorized administrators
- Rotate ONVIF account credentials and remove any unused accounts on affected cameras
- Review camera access logs for unexpected authenticated sessions from unknown hosts
Patch Information
TP-Link publishes firmware updates for the Tapo C520WS on its support portal. Consult the TP-Link Tapo C520WS Firmware Release Notes and the TP-Link Tapo C520WS FAQ for the firmware version that addresses CVE-2026-6239 and for upgrade instructions. Validate firmware integrity using vendor-provided checksums before deployment.
Workarounds
- Block inbound ONVIF traffic (typically TCP/80, TCP/8080, or vendor-specific ports) to the camera from untrusted network segments using a firewall or switch ACL
- Disable ONVIF on the camera if it is not required by the recording or management platform
- Place affected cameras behind a network segmentation boundary that allows only the NVR management host to reach the ONVIF endpoint
# Example: restrict ONVIF access to the NVR host only (Linux iptables)
# Replace CAMERA_IP and NVR_IP with the deployment values
iptables -A FORWARD -p tcp -d CAMERA_IP --dport 8080 -s NVR_IP -j ACCEPT
iptables -A FORWARD -p tcp -d CAMERA_IP --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
