Impact
The vulnerability stems from improper handling of IPv4 fragmented packets in TP‑Link Tapo C200 v3’s network packet processing logic. An attacker can craft specially formatted packets that, when processed, cause excessive resource consumption and drive the device into an unstable state. This results in a temporary denial of service, rendering the camera unresponsive and causing intermittent loss of video monitoring and recording. The weakness is a resource‑exhaustion flaw classified as CWE-770.
Affected Systems
TP‑Link Systems Inc. Tapo C200 v3 is the only model listed as affected. No other versions or products are mentioned. Users of this camera should verify the firmware version and apply any available updates.
Risk and Exploitability
The CVSS score of 7.1 indicates a moderate‑to‑high impact. Because the EPSS score is not published and the vulnerability is not included in the CISA KEV catalog, the likelihood of exploitation is unclear, but the attack requires an unauthenticated neighboring attacker capable of sending malformed packets to the device. The proximity requirement and absence of published exploits reduce but do not eliminate the risk, and local attackers could trigger resource exhaustion and temporary service disruption.
OpenCVE Enrichment