Arendst Tasmota CVE-2026-38422 Remote Code Execution

A public exploit has been released for CVE-2026-38422, a critical remote code execution vulnerability affecting Arendst Tasmota devices. The vulnerability resides in the fetch_jpg() function and arises from combined buffer overflows, leading to potential device takeover, access to sensitive device secrets/credentials, and a guaranteed denial-of-service condition through a crash/reboot loop. The vulnerability was reported to MITRE on March 29, 2026, and CVE-2026-38422 was assigned. A patch was released by Tasmota in version 15.3.0.4. This exploit poses a significant threat to Tasmota devices running vulnerable versions with scripter support enabled that use fetchjp() to connect to external MJPEG servers, as it allows an attacker to execute arbitrary code remotely.

Attack Chain

1. The attacker identifies a vulnerable Tasmota device running a script that uses the fetchjp() function.
2. The attacker sets up a malicious server on ATTACKER_IP, designed to exploit the vulnerability.
3. The Tasmota device, through its script, initiates a connection to the attacker’s server (ATTACKER_IP:8887/stream) using the fetchjp() function.
4. Phase 1: The attacker’s server sends an HTTP 200 OK response with a boundary string of 80 characters, triggering an overflow in the boundary buffer.
5. Phase 2: The attacker’s server sends MJPEG frames with a Content-Length of 65537 bytes, causing an integer wraparound due to the uint16_t size variable, resulting in malloc(1) and readBytes(buff, 1).
6. The remaining 65536 bytes in the stream cause a heap/stream corruption.
7. This double corruption leads to remote code execution on the ESP32 device, or a guaranteed denial-of-service (DoS) condition.
8. The attacker gains full control of the device, including access to device secrets/credentials, or causes a continuous crash/reboot loop rendering the device unusable.

Impact

Successful exploitation of CVE-2026-38422 allows for complete device takeover, exposing sensitive information, and causing a guaranteed crash or reboot loop. Any ESP32-based Tasmota device running version <= 15.3.0.3 with scripter support enabled and a script using fetchjp() is at risk. This can lead to significant disruption of services reliant on these devices, data breaches, and compromised device functionality. The CVSS score of 9.8 reflects the critical severity of this vulnerability.

Recommendation

• Upgrade all Tasmota devices to version 15.3.0.4 or later to patch CVE-2026-38422.
• Disable scripter support on Tasmota devices if it is not required, to mitigate the risk of fetchjp() exploitation.
• Monitor network traffic for connections initiated by Tasmota devices to unusual or untrusted external servers, using network connection monitoring and firewall logs (category network_connection, firewall).
• Deploy the Sigma rule “Detect Tasmota fetchjp() Command Execution” to identify potentially malicious use of the fetchjp() command in Tasmota scripts.
• Inspect Tasmota device logs (if available) for error messages related to memory corruption or crashes after connecting to external MJPEG streams.