CVE-2026-28521
Published: 16 March 2026
Summary
CVE-2026-28521 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Tuya Arduino-Tuyaopen. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28521 is an out-of-bounds memory read vulnerability (CWE-125) affecting the TuyaIoT component in the arduino-TuyaOpen library prior to version 1.2.1. Published on 2026-03-16T14:19:28.557, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices running the vulnerable library. This triggers out-of-bounds memory access, potentially resulting in information disclosure or a denial-of-service condition.
Advisories recommend updating to arduino-TuyaOpen version 1.2.1 or later to mitigate the issue. Additional details are available in the GitHub repository at https://github.com/tuya/arduino-TuyaOpen, Tuya's announcement at https://src.tuya.com/announcement/32, and the Vulncheck advisory at https://www.vulncheck.com/advisories/arduino-tuyaopen-tuyaiot-out-of-bounds-memory-read-information-disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12228
Vulnerability details
arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result…
more
in information disclosure or a denial-of-service condition.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB memory read in IoT library parsing enables local memory data disclosure (T1005) or DoS via crafted cloud DP events (T1499.004); requires prior cloud compromise but directly triggers the effects.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates this CVE by requiring organizations to identify, prioritize, and apply the patch updating arduino-TuyaOpen to version 1.2.1 or later.
Memory protection mechanisms such as bounds checking and address space layout randomization comprehensively address out-of-bounds memory read vulnerabilities like this one in the TuyaIoT component.
Information input validation on DP event data received from the Tuya cloud service prevents processing of malicious payloads that trigger the out-of-bounds memory access.