CVE-2026-28519

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28519 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely remediation through updating the vulnerable arduino-TuyaOpen library to version 1.2.1 or later.

SI-10 Information Input Validation good match

prevent

Prevents the heap buffer overflow by validating the length and structure of incoming DNS responses in the DnsServer component before processing.

SI-16 Memory Protection good match

prevent

Mitigates exploitation of the heap buffer overflow vulnerability through memory protection mechanisms such as ASLR and non-executable heap memory.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in DNS response handling (DnsServer component) enables RCE via crafted network traffic from an attacker-controlled DNS server on the LAN, directly matching client-side exploitation for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

arduino-TuyaOpen before version 1.2.1 contains a heap-based buffer overflow vulnerability in the DnsServer component. An attacker on the same local area network who controls the LAN DNS server can send malicious DNS responses to overflow the heap buffer, potentially allowing…

execution of arbitrary code on affected embedded devices.

Deeper analysisAI

CVE-2026-28519 is a heap-based buffer overflow vulnerability (CWE-122) affecting the arduino-TuyaOpen library prior to version 1.2.1, specifically in its DnsServer component. Published on 2026-03-16, this flaw has a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It impacts embedded devices utilizing this open-source Arduino library for integration with Tuya's IoT platform.

An attacker on the same local area network (LAN) who controls the LAN DNS server can exploit the vulnerability by sending crafted malicious DNS responses. This triggers a heap buffer overflow in the DnsServer component, potentially enabling arbitrary code execution on the targeted embedded device with high confidentiality, integrity, and availability impacts.

Advisories recommend updating to arduino-TuyaOpen version 1.2.1 or later to mitigate the issue, as detailed in the project's GitHub repository (https://github.com/tuya/arduino-TuyaOpen), Tuya's announcement (https://src.tuya.com/announcement/32), and VulnCheck's advisory (https://www.vulncheck.com/advisories/arduino-tuyaopen-dnsserver-heap-based-buffer-overflow-remote-code-execution).