Security Advisory on Multiple Vulnerabilities on TP-Link Tapo C520WS (CVE-2026-34118 to CVE-2026-34122, CVE-2026-34124)

Description of Vulnerabilities and Impacts:

Multiple vulnerabilities were identified in Tapo C520WS v2.6.

CVE-2026-34118 to CVE-2026-34120: Heap-Based Buffer Overflow Vulnerabilities Leading to Denial-of- Service in TP‑Link Tapo C520WS

Heap-based buffer overflow vulnerabilities across different data processing paths. Each flaw arises from insufficient boundary validation when handling externally supplied HTTP or streaming inputs.

An attacker on the same network segment could trigger heap memory corruption conditions by sending crafted payloads that cause write operations beyond allocated buffer boundaries. Successful exploitation causes a Denial-of-Service (DoS) condition, causing the device’s process to crash or become unresponsive.

CVE-2026-34118: Occurs in the HTTP POST body parsing logic due to missing validation of remaining buffer capacity after dynamic allocation.

CVE -2026-34119: Occurs in the HTTP parsing loop when appending segmented request bodies without continuous write‑boundary verification.

CVE -2026-34120: Occurs within the asynchronous parsing of local video stream content due to insufficient alignment and validation of buffer boundaries when processing streaming inputs.

The above CVEs share the same severity rating.

CVSS v4.0 Score: 7.1/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2026-34121: Authentication Bypass in DS Configuration Service via HTTP Request Parsing Differential

An authentication bypass vulnerability within the HTTP handling of the DS configuration service was identified, due to inconsistent parsing and authorization logic in JSON requests during authentication check. An unauthenticated attacker can append an authentication-exempt action to a request containing privileged DS do actions, bypassing authorization checks.

Successful exploitation allows unauthenticated execution of restricted configuration actions, which may result in unauthorized modification of device state.

CVSS v4.0 Score: 8.7/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE-2026-34122: Stack-based Buffer Overflow Leading to Denial of Service in TP-Link Tapo C520WS

A stack-based buffer overflow vulnerability was identified in the DS configuration service due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resulting in a stack overflow.

Successful exploitation results in Denial-of-Service (DoS) condition, leading to a service crash or device reboot, impacting availability.

CVSS v4.0 Score: 7.1/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2026-34124: Denial of Service via Path Expansion Overflow in HTTP Service

A denial-of-service vulnerability was identified within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent network may send a crafted HTTP request to cause buffer overflow and memory corruption, leading to system interruption or device reboot.

CVSS v4.0 Score: 7.1/ High

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products/Versions and Fixes:

Recommendations:

We strongly recommend that users with affected devices take the following actions:

1. Follow the instructions to update to the latest firmware version to fix the vulnerabilities:

US: Download for Tapo C520WS | TP-Link

EN: Download for Tapo C520WS | TP-Link

Disclaimer:

If you do not take all recommended actions, this vulnerability will remain. TP-Link cannot bear any responsibility for consequences that could have been avoided by following this advisory.