CVE-2026-28520
Published: 16 March 2026
Summary
CVE-2026-28520 is a high-severity Off-by-one Error (CWE-193) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-28520 is a single-byte buffer overflow vulnerability (CWE-193) in the WiFiMulti component of the arduino-TuyaOpen library prior to version 1.2.1. This affects embedded smart hardware devices that utilize the library for WiFi connectivity integration with Tuya's IoT platform. The issue, published on 2026-03-16, carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.
An attacker can exploit the vulnerability by controlling an access point (AP) hotspot to which the victim's smart hardware connects. No privileges are required (PR:N), and exploitation occurs with low complexity (AC:L) upon connection, allowing the attacker to trigger the buffer overflow and achieve remote code execution on the affected embedded device.
Mitigation involves upgrading to arduino-TuyaOpen version 1.2.1 or later, as indicated by the vulnerability's versioning details. Additional guidance is available in the Tuya announcement at https://src.tuya.com/announcement/32, the project repository at https://github.com/tuya/arduino-TuyaOpen, and the VulnCheck advisory at https://www.vulncheck.com/advisories/arduino-tuyaopen-wifimulti-single-byte-buffer-overflow-remote-code-execution.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12227
Vulnerability details
arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Single-byte buffer overflow in WiFi client library (WiFiMulti) is directly triggered by a malicious AP response during connection, enabling client-side code execution on the embedded device with no user interaction or privileges required.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the buffer overflow by requiring timely remediation through upgrading the vulnerable arduino-TuyaOpen library to version 1.2.1 or later.
Requires validation of WiFi inputs processed by the WiFiMulti component, preventing the single-byte buffer overflow from malformed data sent by an attacker-controlled AP.
Implements memory protections such as stack canaries or address space layout randomization to block exploitation of the buffer overflow for arbitrary code execution.