CVE-2026-28520

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28520 is a high-severity Off-by-one Error (CWE-193) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the buffer overflow by requiring timely remediation through upgrading the vulnerable arduino-TuyaOpen library to version 1.2.1 or later.

SI-10 Information Input Validation good match

prevent

Requires validation of WiFi inputs processed by the WiFiMulti component, preventing the single-byte buffer overflow from malformed data sent by an attacker-controlled AP.

SI-16 Memory Protection good match

prevent

Implements memory protections such as stack canaries or address space layout randomization to block exploitation of the buffer overflow for arbitrary code execution.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Single-byte buffer overflow in WiFi client library (WiFiMulti) is directly triggered by a malicious AP response during connection, enabling client-side code execution on the embedded device with no user interaction or privileges required.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.

Deeper analysisAI

CVE-2026-28520 is a single-byte buffer overflow vulnerability (CWE-193) in the WiFiMulti component of the arduino-TuyaOpen library prior to version 1.2.1. This affects embedded smart hardware devices that utilize the library for WiFi connectivity integration with Tuya's IoT platform. The issue, published on 2026-03-16, carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

An attacker can exploit the vulnerability by controlling an access point (AP) hotspot to which the victim's smart hardware connects. No privileges are required (PR:N), and exploitation occurs with low complexity (AC:L) upon connection, allowing the attacker to trigger the buffer overflow and achieve remote code execution on the affected embedded device.

Mitigation involves upgrading to arduino-TuyaOpen version 1.2.1 or later, as indicated by the vulnerability's versioning details. Additional guidance is available in the Tuya announcement at https://src.tuya.com/announcement/32, the project repository at https://github.com/tuya/arduino-TuyaOpen, and the VulnCheck advisory at https://www.vulncheck.com/advisories/arduino-tuyaopen-wifimulti-single-byte-buffer-overflow-remote-code-execution.