Security Advisory: Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in Tapo C200 (CVE-2026-12760)
Vulnerability and Impact Description:
CVE-2026-12760
A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.
Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.
CVSS v4.0 Score: 7.1 / High
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Products/Versions and Fixes:
|
Affected Product Model |
Hardware Version |
Fixed Version |
|
Tapo C200 |
V3 |
1.4.4 Build 250922 |
Recommendations:
We strongly recommend that users with affected devices take the following actions:
- Follow the instructions to update to the latest firmware version to fix the vulnerabilities:
US: Download for Tapo C200 | TP-Link
EN: Download for Tapo C200 | TP-Link
Disclaimer:
This advisory is provided for informational purposes only and is subject to change without notice. The information is provided “as is” without warranties of any kind. TP-Link recommends that customers promptly apply available firmware updates or implement documented workarounds as provided in this advisory. Devices/systems that are not updated or mitigated as described may remain vulnerable, and TP-Link disclaims any responsibility or liability for any damages or losses arising from a failure to implement such updates.
Looking For More
Is this faq useful?
Your feedback helps improve this site.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.