Description
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
Published: 2026-06-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper handling of IPv4 fragmented packets in TP‑Link Tapo C200 v3’s network packet processing logic. An attacker can craft specially formatted packets that, when processed, cause excessive resource consumption and drive the device into an unstable state. This results in a temporary denial of service, rendering the camera unresponsive and causing intermittent loss of video monitoring and recording. The weakness is a resource‑exhaustion flaw classified as CWE-770.

Affected Systems

TP‑Link Systems Inc. Tapo C200 v3 is the only model listed as affected. No other versions or products are mentioned. Users of this camera should verify the firmware version and apply any available updates.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high impact. Because the EPSS score is not published and the vulnerability is not included in the CISA KEV catalog, the likelihood of exploitation is unclear, but the attack requires an unauthenticated neighboring attacker capable of sending malformed packets to the device. The proximity requirement and absence of published exploits reduce but do not eliminate the risk, and local attackers could trigger resource exhaustion and temporary service disruption.

Generated by OpenCVE AI on June 24, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the camera to the latest firmware released by TP‑Link that patch the malformed IPv4 fragmentation handling flaw.
  • If a newer firmware is unavailable, isolate the device from untrusted networks and place it behind a firewall that blocks or limits malformed IPv4 fragments.
  • Monitor the camera’s performance and network traffic for indicators of abnormal resource usage or denial of service, and apply future updates promptly.

Generated by OpenCVE AI on June 24, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tp-link
Tp-link tapo C200 V3
Vendors & Products Tp-link
Tp-link tapo C200 V3

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets.  An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
Title Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Tp-link Tapo C200 V3
cve-icon MITRE

Status: PUBLISHED

Assigner: TPLink

Published:

Updated: 2026-06-24T18:53:46.451Z

Reserved: 2026-06-19T21:06:11.577Z

Link: CVE-2026-12760

cve-icon Vulnrichment

Updated: 2026-06-24T18:53:40.261Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:29Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling