Vulnerability Description
The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tp-Link | Tapo C220 Firmware | < 1.4.2 |
| Tp-Link | Tapo C220 | 1 |
| Tp-Link | Tapo C520Ws Firmware | < 1.2.3 |
| Tp-Link | Tapo C520Ws | 2 |
Related Weaknesses (CWE)
References
- https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-as
- https://www.tp-link.com/en/support/download/tapo-c220/v1/Product
- https://www.tp-link.com/en/support/download/tapo-c520ws/v2/Product
- https://www.tp-link.com/us/support/download/tapo-c100/v5/Product
- https://www.tp-link.com/us/support/download/tapo-c220/v1.60/Product
- https://www.tp-link.com/us/support/download/tapo-c520ws/v2/Product
- https://www.tp-link.com/us/support/faq/4923/Vendor Advisory
FAQ
What is CVE-2026-0918?
CVE-2026-0918 is a vulnerability with a CVSS score of 7.5 (HIGH). The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation trigger...
How severe is CVE-2026-0918?
CVE-2026-0918 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-0918?
Check the references section above for vendor advisories and patch information. Affected products include: Tp-Link Tapo C220 Firmware, Tp-Link Tapo C220, Tp-Link Tapo C520Ws Firmware, Tp-Link Tapo C520Ws.