CVE-2026-0918 - Vulnerability Details

- Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 & C520WS

Description

The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

Published: 2026-01-27

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null‑pointer dereference occurs in the HTTP service of the Tapo C100 v5, Tapo C220 v1, and Tapo C520WS v2 cameras when the device receives a POST request containing an excessively large Content‑Length header. The resulting failed memory allocation triggers a crash of the main service process, temporarily disabling the camera’s HTTP interface. This is a CWE‑476 vulnerability. An unauthenticated attacker can repeatedly trigger this failure, causing a denial of service until the device automatically restarts.

Affected Systems

The vulnerability affects TP‑Link Tapo C100 v5, Tapo C220 v1, and Tapo C520WS v2 models. These are firmware devices that expose a HTTP service for configuration and video access. The issue is present in the firmware versions cited in the vendor’s support links, and the data does not indicate that current firmware updates mitigate the problem.

Risk and Exploitability

The CVSS base score of 7.1 reflects a high severity vulnerability. The EPSS score is below 1 %, indicating that the likelihood of exploitation is low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is network‑based; any host that can reach the camera’s HTTP port can send a malicious POST request. No authentication is required, so the vulnerability can be abused by anyone with network access to the camera, leading to repeated service restarts and temporary denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TP-Link Systems Inc.

Tapo C220 v1

unaffected

Version	Status	Constraints
`0`	affected	< 1.4.2 Build 251112

TP-Link Systems Inc.

Tapo C520WS v2

unaffected

Version	Status	Constraints
`0`	affected	< 1.2.3 Build 251114

TP-Link Systems Inc.

Tapo C100 v5

unaffected

Version	Status	Constraints
`0`	affected	< 1.4.3 Build 251128

Configuration 1 [-]

AND

cpe:2.3:o:tp-link:tapo_c220_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:tapo_c220:1:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:tp-link:tapo_c520ws_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:tp-link:tapo_c520ws:2:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Tp-link	Tapo	—	—
Tp-link	Tapo C220 V1	—	—
Tp-link	Tapo C520ws V2	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

If a vendor update addressing this vulnerability is available, apply it to the affected Tapo models.
If no update is available, block or filter HTTP POST traffic to the camera’s port from untrusted networks to prevent attackers from sending oversized requests.
Monitor camera logs or reboot events for repeated service interruptions as an indicator of exploitation attempts.

Generated by OpenCVE AI on April 29, 2026 at 02:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned
https://www.tp-link.com/en/support/download/tapo-c220/v1/
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/download/tapo-c100/v5/
https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
https://www.tp-link.com/us/support/faq/4923/

History

Wed, 29 Apr 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description	The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.	The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.

Mon, 16 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
References		https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned

Wed, 11 Mar 2026 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link tapo C220 Tp-link tapo C220 Firmware Tp-link tapo C520ws Tp-link tapo C520ws Firmware
CPEs		cpe:2.3:h:tp-link:tapo_c220:1:::::::* cpe:2.3:h:tp-link:tapo_c520ws:2:::::::* cpe:2.3:o:tp-link:tapo_c220_firmware:::::::: cpe:2.3:o:tp-link:tapo_c520ws_firmware::::::::
Vendors & Products		Tp-link tapo C220 Tp-link tapo C220 Firmware Tp-link tapo C520ws Tp-link tapo C520ws Firmware
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 10 Feb 2026 00:00:00 +0000

Type	Values Removed	Values Added
References		https://www.tp-link.com/us/support/download/tapo-c100/v5/

Wed, 28 Jan 2026 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tp-link Tp-link tapo Tp-link tapo C220 V1 Tp-link tapo C520ws V2
Vendors & Products		Tp-link Tp-link tapo Tp-link tapo C220 V1 Tp-link tapo C520ws V2

Tue, 27 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 27 Jan 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
Title		Null Pointer Dereference in Tapo SmartCam HTTP Service on TP-Link Tapo C220 & C520WS
Weaknesses		CWE-476
References		https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Tp-link Tapo Tapo C220 Tapo C220 Firmware Tapo C220 V1 Tapo C520ws Tapo C520ws Firmware Tapo C520ws V2

MITRE

Status: PUBLISHED

Assigner: TPLink

Published: 2026-01-27T17:52:04.348Z

Updated: 2026-04-29T00:05:42.816Z

Reserved: 2026-01-13T19:43:58.914Z

Link: CVE-2026-0918

Vulnrichment

Updated: 2026-01-27T18:07:21.888Z

NVD

Status : Modified

Published: 2026-01-27T18:15:54.973

Modified: 2026-04-29T01:16:02.717

Link: CVE-2026-0918

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-29T03:00:12Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object