CVE-2026-28522

arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets that trigger a null pointer dereference, resulting in a denial-of-service condition.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/tuya/arduino-TuyaOpen	Product
https://src.tuya.com/announcement/32	Vendor Advisory
https://www.vulncheck.com/advisories/arduino-tuyaopen-wifiudp-null-pointer-dereference-denial-of-service	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:*

History

26 May 2026, 14:16

Type	Values Removed	Values Added
Summary	(en) arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets that trigger a null pointer dereference and resulting in a denial-of-service condition.	(en) arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets that trigger a null pointer dereference, resulting in a denial-of-service condition.

26 May 2026, 00:16

Type	Values Removed	Values Added
Summary		(es) arduino-TuyaOpen anterior a la versión 1.2.1 contiene una vulnerabilidad de desreferencia de puntero nulo en el componente WiFiUDP. Un atacante en la misma red de área local puede enviar un gran volumen de paquetes UDP maliciosos para causar agotamiento de memoria en el dispositivo, desencadenando una desreferencia de puntero nulo y resultando en una condición de denegación de servicio.
Summary	(en) arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets to cause memory exhaustion on the device, triggering a null pointer dereference and resulting in a denial-of-service condition.	(en) arduino-TuyaOpen before version 1.2.1 contains a null pointer dereference vulnerability in the WiFiUDP component. An attacker on the same local area network can send a large volume of malicious UDP packets that trigger a null pointer dereference and resulting in a denial-of-service condition.

17 Mar 2026, 20:27

Type	Values Removed	Values Added
References	~~() https://github.com/tuya/arduino-TuyaOpen -~~	() https://github.com/tuya/arduino-TuyaOpen - Product
References	~~() https://src.tuya.com/announcement/32 -~~	() https://src.tuya.com/announcement/32 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/arduino-tuyaopen-wifiudp-null-pointer-dereference-denial-of-service -~~	() https://www.vulncheck.com/advisories/arduino-tuyaopen-wifiudp-null-pointer-dereference-denial-of-service - Third Party Advisory
CPE		cpe:2.3:a:tuya:arduino-tuyaopen::::::::
First Time		Tuya Tuya arduino-tuyaopen

16 Mar 2026, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:19

Updated : 2026-05-26 14:16

NVD link : CVE-2026-28522

Mitre link : CVE-2026-28522

CVE.ORG link : CVE-2026-28522

JSON object : View

Products Affected

tuya

arduino-tuyaopen

CWE

CWE-476

NULL Pointer Dereference

6.5 /10