{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/arendst/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tasmota"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-38422","tasmota","rce","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Arendst"],"content_html":"\u003cp\u003eA public exploit has been released for CVE-2026-38422, a critical remote code execution vulnerability affecting Arendst Tasmota devices. The vulnerability resides in the \u003ccode\u003efetch_jpg()\u003c/code\u003e function and arises from combined buffer overflows, leading to potential device takeover, access to sensitive device secrets/credentials, and a guaranteed denial-of-service condition through a crash/reboot loop. The vulnerability was reported to MITRE on March 29, 2026, and CVE-2026-38422 was assigned. A patch was released by Tasmota in version 15.3.0.4. This exploit poses a significant threat to Tasmota devices running vulnerable versions with scripter support enabled that use \u003ccode\u003efetchjp()\u003c/code\u003e to connect to external MJPEG servers, as it allows an attacker to execute arbitrary code remotely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tasmota device running a script that uses the \u003ccode\u003efetchjp()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious server on ATTACKER_IP, designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe Tasmota device, through its script, initiates a connection to the attacker\u0026rsquo;s server (ATTACKER_IP:8887/stream) using the \u003ccode\u003efetchjp()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhase 1:\u003c/strong\u003e The attacker\u0026rsquo;s server sends an HTTP 200 OK response with a boundary string of 80 characters, triggering an overflow in the boundary buffer.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhase 2:\u003c/strong\u003e The attacker\u0026rsquo;s server sends MJPEG frames with a \u003ccode\u003eContent-Length\u003c/code\u003e of 65537 bytes, causing an integer wraparound due to the uint16_t size variable, resulting in \u003ccode\u003emalloc(1)\u003c/code\u003e and \u003ccode\u003ereadBytes(buff, 1)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe remaining 65536 bytes in the stream cause a heap/stream corruption.\u003c/li\u003e\n\u003cli\u003eThis double corruption leads to remote code execution on the ESP32 device, or a guaranteed denial-of-service (DoS) condition.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the device, including access to device secrets/credentials, or causes a continuous crash/reboot loop rendering the device unusable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-38422 allows for complete device takeover, exposing sensitive information, and causing a guaranteed crash or reboot loop. Any ESP32-based Tasmota device running version \u0026lt;= 15.3.0.3 with scripter support enabled and a script using \u003ccode\u003efetchjp()\u003c/code\u003e is at risk. This can lead to significant disruption of services reliant on these devices, data breaches, and compromised device functionality. The CVSS score of 9.8 reflects the critical severity of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Tasmota devices to version 15.3.0.4 or later to patch CVE-2026-38422.\u003c/li\u003e\n\u003cli\u003eDisable scripter support on Tasmota devices if it is not required, to mitigate the risk of \u003ccode\u003efetchjp()\u003c/code\u003e exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections initiated by Tasmota devices to unusual or untrusted external servers, using network connection monitoring and firewall logs (category \u003ccode\u003enetwork_connection\u003c/code\u003e, \u003ccode\u003efirewall\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tasmota fetchjp() Command Execution\u0026rdquo; to identify potentially malicious use of the \u003ccode\u003efetchjp()\u003c/code\u003e command in Tasmota scripts.\u003c/li\u003e\n\u003cli\u003eInspect Tasmota device logs (if available) for error messages related to memory corruption or crashes after connecting to external MJPEG streams.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-25T11:01:54Z","date_published":"2026-05-25T11:01:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-38422-tasmota-rce/","summary":"A public exploit is available for CVE-2026-38422, a critical remote code execution vulnerability in Arendst Tasmota affecting devices running version \u003c= 15.3.0.3 with scripter support enabled via combined buffer overflows in the `fetch_jpg()` function.","title":"Arendst Tasmota CVE-2026-38422 Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-38422-tasmota-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Arendst","version":"https://jsonfeed.org/version/1.1"}