Cyber Resilience

CVE-2026-28519

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28519 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-28519 is a heap-based buffer overflow vulnerability (CWE-122) affecting the arduino-TuyaOpen library prior to version 1.2.1, specifically in its DnsServer component. Published on 2026-03-16, this flaw has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It impacts embedded devices utilizing this open-source Arduino library for integration with Tuya's IoT platform.

An attacker on the same local area network (LAN) who controls the LAN DNS server can exploit the vulnerability by sending crafted malicious DNS responses. This triggers a heap buffer overflow in the DnsServer component, potentially enabling arbitrary code execution on the targeted embedded device with high confidentiality, integrity, and availability impacts.

Advisories recommend updating to arduino-TuyaOpen version 1.2.1 or later to mitigate the issue, as detailed in the project's GitHub repository (https://github.com/tuya/arduino-TuyaOpen), Tuya's announcement (https://src.tuya.com/announcement/32), and VulnCheck's advisory (https://www.vulncheck.com/advisories/arduino-tuyaopen-dnsserver-heap-based-buffer-overflow-remote-code-execution).

EU & UK References

Vulnerability details

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing…

more

execution of arbitrary code on affected embedded devices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in DNS response handling (DnsServer component) enables RCE via crafted network traffic from an attacker-controlled DNS server on the LAN, directly matching client-side exploitation for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28520Same product: Tuya Arduino-Tuyaopen
CVE-2026-28521Same product: Tuya Arduino-Tuyaopen
CVE-2026-40363Shared CWE-122
CVE-2025-59295Shared CWE-122
CVE-2025-21266Shared CWE-122
CVE-2026-25713Shared CWE-122
CVE-2026-5272Shared CWE-122
CVE-2026-8509Shared CWE-122
CVE-2025-21171Shared CWE-122
CVE-2026-23530Shared CWE-122

Affected Assets

tuya
arduino-tuyaopen
≤ 1.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation through updating the vulnerable arduino-TuyaOpen library to version 1.2.1 or later.

prevent

Prevents the heap buffer overflow by validating the length and structure of incoming DNS responses in the DnsServer component before processing.

prevent

Mitigates exploitation of the heap buffer overflow vulnerability through memory protection mechanisms such as ASLR and non-executable heap memory.

References