An attacker sending a malformed HTTP POST request over LAN to a TP-Link Smart camera device can trigger the vulnerability described here.

This report describes a heap buffer overflow, which leads to remote code execution.

The vulnerability we are disclosing in this advisory affected a wide range of TP-Link devices, including TAPO Smart Cameras. A TP-Link Security Advisory released in April 2026 contains this vulnerability as CVE-2026-34120.

Vulnerability Details

In the HTTP Server implementation of TAPO devices, another overflow similar to CVE-2026-34118 is present in http_read_content_asyn. This gets called repeatedly, e.g. if new data arrived on a read that timed out.

The device handles Video Over Http, as described in the similarly named section at https://drmnsamoliu.github.io/video.html, through a special protocol, which includes handling multipart content, where the content length is ignored for the most part (the link shows the device passed -1 as content length on a similar device).

The goal seems to be to introduce a layer on top of HTTP/HTTPS, which understands packets.

  msg_debug(0,5,1,"http_parser",0xa27,"[HTTPD]http_read_content_asyn.");
  content_len = context->parsed_content_len;
  if (content_len != 0) {
    startptr = context->startptr;
    endptr = context->endptr;
    context->content_parse_done = 0;
    bytes_remaining = (context->startptr + content_len) - context->endptr;
    if (-1 < (int)bytes_remaining) {
      boundary = context->boundary;
      if (bytes_remaining == (char *)0x0) goto LAB_000e5b60;
      if ((boundary != (char *)0x0) && (context->unk_flag == 0)) { // [1]
        bytes_read = http_recv_block(context,endptr,0x1000); // [2]
        // ... error handling
        // ... Proceed with parsing boundary headers
      } else {
        err = http__read_all_vulnerable(context); // [2]
        // ...
      }
    }

Affected Devices

  • verified: TAPO C520WS
  • potentially: TP-Link smart devices using the TAPO architecture

Timeline

  • 2025.12.12. Vulnerability reported to TP-Link PSIRT by email.
  • 2026.02.04. TP-Link acknowledges the report and asks for extended PoC.
  • 2026.02.11. TASZK responds with sending extended copy-paste PoCs and highlights that sufficient reproduction information was already contained in the original submission.
  • 2026.03.04. TP-Link confirms vulnerability and asks for time extension. TP-Link also provides erroneous analysis for several other reported vulnerabilities.
  • 2026.03.04. TASZK provides update explaining the errors in TP-Link’s assessment regarding other reported vulnerabilities, describing which CVE assignment and advisory detail assessments are incorrect.
  • 2026.03.05. TP-Link again asks for a 3 week extension, does not confirm any TASZK analysis.
  • 2026.03.06. TASZK confirms that a 3 week extension will be granted for vulnerabilities where a CVE assignment and/or Advisory correction will happen.
  • 2026.03.20. TP-Link communicates that this vulnerability (along with some reported at the time) have been fixed and wishes TASZK to provide a black box analysis of a new firmware image. TP-Link does not confirm which submitted vulnerabilities will receive a CVE and/or Advisory correction but ask for another arbitrary extension for only 1 vulnerability.
  • 2026.03.23. TASZK confirms that the 3 week extension will be granted if the list of vulnerabilities that are receiving a CVE and/or Advisory correction will be shared, otherwise no other extension will be granted.
  • 2026.03.26-04.01. TP-Link attempts to get in touch via several non-official channels, including an attempt to show up at our offices in person uninvited. TP-Link requests additional delay for different vulnerabilities.
  • 2026.04.02. End date of original 90 day + 3 week embargo. TASZK highlights that the PSIRT keeps sending plaintext emails with sensitive vulnerability information, points out that non-PSIRT channels are considered out-of-bounds for coordinated disclosure and confirms that embargo windows will not be extended further. TASZK volunteers a 24h notice to TP-Link for advisory release.
  • 2026.04.02. TP-Link releases advisory for the vulnerability: https://www.tp-link.com/us/support/faq/5047/
  • 2026.04.06. TASZK communicates notice of release to TP-Link.
  • 2026.04.28. Advisory released.