Tapo C220 & C520WS, Denial of Service, CVE-2026-0918 (High)

Listen to this Post

The HTTP service in Tapo C220 v1 and C520WS v2 cameras fails to safely handle POST requests with an excessively large Content-Length header. When such a request is received, the service attempts to allocate a memory buffer of the specified size. Because the declared size is too large, the memory allocation fails and returns NULL. The service then dereferences this NULL pointer without proper error checking, causing an immediate crash of the main process. As the attacker is unauthenticated and only needs adjacency to the network, they can repeatedly send these crafted requests. Although the device automatically restarts after a crash, continuous exploitation can keep the camera unavailable, creating a persistent denial of service condition. The root cause is a missing validation check after memory allocation, classified as CWE-476 .
Platform: Tapo Cameras
Version: C220 v1 (<1.4.2 Build 251112) & C520WS v2 (<1.2.3 Build 251114)
Vulnerability : NULL Pointer Dereference
Severity: High (7.1 CVSS v4.0)
date: January 27, 2026

Prediction: Patch already available

What Undercode Say:

Analytics

The vulnerability is triggered via network adjacency, requires no privileges or user interaction, and has a high availability impact. Its exploit maturity is currently undefined, but the presence of public proof-of-concept details suggests active risk. The attack complexity is low, making it easily exploitable once an attacker has local network access. Continuous exploitation can lead to complete unavailability of the surveillance device .

How Exploit:

The following proof-of-concept command demonstrates how an unauthenticated attacker on the same network can crash the camera’s HTTP service.

Basic PoC using curl to send a POST request with a massive Content-Length header
Replace <CAMERA_IP> with the actual IP address of the target Tapo camera
curl -X POST -H "Content-Length: 9999999999" -H "Connection: close" http://<CAMERA_IP>/

Sending this request causes the memory allocation to fail, leading to a NULL pointer dereference and service crash .

Protection from this CVE

Immediate mitigation involves applying the official firmware patches provided by TP-Link. As a workaround, network segmentation is highly effective. Isolate IoT devices like cameras on a dedicated VLAN with strict firewall rules to limit which hosts can communicate with them. Network-level intrusion prevention systems can also be configured to flag or drop HTTP POST requests containing Content-Length headers that exceed a reasonable threshold (e.g., > 100 MB) .

Example iptables rule to isolate camera subnet (adjust IPs as needed)
Allow only a specific management host to communicate with the camera subnet
iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.20.0/24 -j DROP
iptables -A FORWARD -s 192.168.1.100 -d 192.168.20.0/24 -j ACCEPT

Note: This is a conceptual example of network segmentation and not a direct fix for the HTTP service flaw.

Impact

Successful exploitation results in a temporary denial of service, crashing the main service process and interrupting video and audio streams. While the device automatically reboots, repeated attacks can keep the camera offline indefinitely, creating blind spots in physical security surveillance. The vulnerability can be triggered remotely as long as the attacker is on the same local network segment, posing a significant risk to home and business environments where these cameras are deployed .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top