Cyber Posture

CVE-2026-0918

High

Published: 27 January 2026

Published
27 January 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 10.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0918 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Tp-Link Tapo C220 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

NULL dereference in public HTTP service enables remote unauthenticated exploitation of a network-facing application (T1190) to trigger application crash and sustained DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An…

more

unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

Deeper analysisAI

CVE-2026-0918 is a NULL pointer dereference vulnerability (CWE-476) in the HTTP service of TP-Link Tapo C220 v1 and C520WS v2 cameras. The service does not safely handle POST requests with an excessively large Content-Length header, resulting in a failed memory allocation that triggers the dereference and crashes the main service process. Published on 2026-01-27 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), it poses a high availability risk without impacting confidentiality or integrity.

An unauthenticated attacker can exploit the vulnerability remotely over the network by sending a POST request with an oversized Content-Length header, causing an immediate crash of the main service process and temporary denial of service. The affected camera automatically restarts following the crash, but an attacker can repeat the requests to sustain unavailability indefinitely.

TP-Link provides firmware download pages for the Tapo C220 v1, C520WS v2, and related models like C100 v5 and C220 v1.60, indicating patches are available for mitigation. Further technical details on the vulnerability and discovery are documented in the security research post at crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned.

Details

CWE(s)
CWE-476

Affected Products

tp-link
tapo c220 firmware
≤ 1.4.2
tp-link
tapo c520ws firmware
≤ 1.2.3

CVEs Like This One

CVE-2026-0919Same product: Tp-Link Tapo C220
CVE-2026-1315Same product: Tp-Link Tapo C220
CVE-2026-34121Same product: Tp-Link Tapo C520Ws
CVE-2025-9014Same vendor: Tp-Link
CVE-2025-25901Same vendor: Tp-Link
CVE-2026-3622Same vendor: Tp-Link
CVE-2025-25898Same vendor: Tp-Link
CVE-2025-15606Same vendor: Tp-Link
CVE-2025-15608Same vendor: Tp-Link
CVE-2025-9292Same vendor: Tp-Link

References