This vulnerability is a heap-based buffer overflow in the DnsServer component of the arduino‑TuyaOpen firmware. An attacker who can control the local network DNS server can send malicious DNS responses that overflow the heap buffer, potentially allowing the attacker to execute arbitrary code on the affected embedded device. The flaw results in full remote code execution, giving an attacker control over the device’s operating system or firmware.

Affected products are Tuya’s arduino‑TuyaOpen firmware versions prior to 1.2.1. The vulnerability is identified by the CPE string cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:* and applies to all derivatives of this firmware that include the DnsServer component. No single affected version beyond 1.2.1 is listed, so firmware updates equal or newer than 1.2.1 are presumed safe.

The CVSS score of 8.7 marks this as a high‑severity flaw. The EPSS score of less than 1% indicates low current exploitation probability, but the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local network access and control of the LAN DNS server, making it a LAN‑based attack. If an attacker can reach the device from the local network and manipulate DNS traffic, they can trigger the buffer overflow and gain code execution. Until a patch is applied, the risk remains significant for devices exposed to a potentially compromised local DNS environment.