CVE-2026-28521

HighPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28521 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates this CVE by requiring organizations to identify, prioritize, and apply the patch updating arduino-TuyaOpen to version 1.2.1 or later.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms such as bounds checking and address space layout randomization comprehensively address out-of-bounds memory read vulnerabilities like this one in the TuyaIoT component.

SI-10 Information Input Validation partial match

prevent

Information input validation on DP event data received from the Tuya cloud service prevents processing of malicious payloads that trigger the out-of-bounds memory access.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

OOB memory read in IoT library parsing enables local memory data disclosure (T1005) or DoS via crafted cloud DP events (T1499.004); requires prior cloud compromise but directly triggers the effects.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result…

in information disclosure or a denial-of-service condition.

Deeper analysisAI

CVE-2026-28521 is an out-of-bounds memory read vulnerability (CWE-125) affecting the TuyaIoT component in the arduino-TuyaOpen library prior to version 1.2.1. Published on 2026-03-16T14:19:28.557, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices running the vulnerable library. This triggers out-of-bounds memory access, potentially resulting in information disclosure or a denial-of-service condition.

Advisories recommend updating to arduino-TuyaOpen version 1.2.1 or later to mitigate the issue. Additional details are available in the GitHub repository at https://github.com/tuya/arduino-TuyaOpen, Tuya's announcement at https://src.tuya.com/announcement/32, and the Vulncheck advisory at https://www.vulncheck.com/advisories/arduino-tuyaopen-tuyaiot-out-of-bounds-memory-read-information-disclosure.