Description
arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition.
Published: 2026-03-15
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

An out‑of‑bounds memory read occurs in the TuyaIoT component of the arduino‑TuyaOpen SDK before version 1.2.1. When a device receives specially crafted DP event data from a compromised or hijacked Tuya cloud service, the component accesses memory outside its bounds. This flaw is classified as CWE‑125. Resulting behaviors include the disclosure of the device's internal memory contents to an attacker and, in some cases, a denial‑of‑service condition that causes the device to crash or become unresponsive.

Affected Systems

Product: arduino‑TuyaOpen by Tuya. All releases older than 1.2.1 are affected. The advisory indicates that any device running the library prior to that version is vulnerable, while version 1.2.1 and later fix the issue.

Risk and Exploitability

The CVSS score is 7.0, indicating a medium severity. The EPSS is below 1%, suggesting low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control or hijack the Tuya cloud infrastructure to push malicious DP data to the device. When such access is available, triggering the memory read is straightforward and may leak sensitive data or disrupt device operation.

Generated by OpenCVE AI on March 17, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the arduino‑TuyaOpen library to version 1.2.1 or later.
  • Verify the installed library version and apply any subsequent security updates from the vendor as they become available.

Generated by OpenCVE AI on March 17, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:*

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tuya
Tuya arduino-tuyaopen
Vendors & Products Tuya
Tuya arduino-tuyaopen

Sun, 15 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition.
Title arduino-TuyaOpen TuyaIoT Out-of-Bounds Memory Read Information Disclosure
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tuya Arduino-tuyaopen
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:20:19.227Z

Reserved: 2026-02-27T21:07:55.466Z

Link: CVE-2026-28521

cve-icon Vulnrichment

Updated: 2026-03-16T14:17:35.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:28.557

Modified: 2026-03-17T20:24:33.687

Link: CVE-2026-28521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:42Z

Weaknesses