Cyber Resilience

CVE-2026-28520

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 9.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28520 is a high-severity Off-by-one Error (CWE-193) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-28520 is a single-byte buffer overflow vulnerability (CWE-193) in the WiFiMulti component of the arduino-TuyaOpen library prior to version 1.2.1. This affects embedded smart hardware devices that utilize the library for WiFi connectivity integration with Tuya's IoT platform. The issue, published on 2026-03-16, carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An attacker can exploit the vulnerability by controlling an access point (AP) hotspot to which the victim's smart hardware connects. No privileges are required (PR:N), and exploitation occurs with low complexity (AC:L) upon connection, allowing the attacker to trigger the buffer overflow and achieve remote code execution on the affected embedded device.

Mitigation involves upgrading to arduino-TuyaOpen version 1.2.1 or later, as indicated by the vulnerability's versioning details. Additional guidance is available in the Tuya announcement at https://src.tuya.com/announcement/32, the project repository at https://github.com/tuya/arduino-TuyaOpen, and the VulnCheck advisory at https://www.vulncheck.com/advisories/arduino-tuyaopen-wifimulti-single-byte-buffer-overflow-remote-code-execution.

EU & UK References

Vulnerability details

arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Single-byte buffer overflow in WiFi client library (WiFiMulti) is directly triggered by a malicious AP response during connection, enabling client-side code execution on the embedded device with no user interaction or privileges required.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28519Same product: Tuya Arduino-Tuyaopen
CVE-2026-28521Same product: Tuya Arduino-Tuyaopen
CVE-2026-34085Shared CWE-193
CVE-2021-3156Shared CWE-193
CVE-2024-57990Shared CWE-193
CVE-2024-57259Shared CWE-193
CVE-2026-22593Shared CWE-193
CVE-2026-4887Shared CWE-193
CVE-2024-48854Shared CWE-193
CVE-2026-44603Shared CWE-193

Affected Assets

tuya
arduino-tuyaopen
≤ 1.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the buffer overflow by requiring timely remediation through upgrading the vulnerable arduino-TuyaOpen library to version 1.2.1 or later.

prevent

Requires validation of WiFi inputs processed by the WiFiMulti component, preventing the single-byte buffer overflow from malformed data sent by an attacker-controlled AP.

prevent

Implements memory protections such as stack canaries or address space layout randomization to block exploitation of the buffer overflow for arbitrary code execution.

References