{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28521", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-27T21:07:55.466Z", "datePublished": "2026-03-15T13:35:46.217Z", "dateUpdated": "2026-03-16T14:20:19.227Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T13:35:46.217Z"}, "datePublic": "2026-03-11T00:00:00.000Z", "title": "arduino-TuyaOpen TuyaIoT Out-of-Bounds Memory Read Information Disclosure", "descriptions": [{"lang": "en", "value": "arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out-of-bounds Read", "cweId": "CWE-125", "type": "CWE"}]}], "affected": [{"vendor": "Tuya", "product": "arduino-TuyaOpen", "versions": [{"version": "0", "lessThan": "1.2.1", "status": "affected", "versionType": "semver"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://src.tuya.com/announcement/32", "name": "Tuya SRC Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/tuya/arduino-TuyaOpen", "name": "arduino-TuyaOpen GitHub Repository", "tags": ["product"]}, {"name": "VulnCheck Advisory: arduino-TuyaOpen TuyaIoT Out-of-Bounds Memory Read Information Disclosure", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/arduino-tuyaopen-tuyaiot-out-of-bounds-memory-read-information-disclosure"}], "x_generator": {"engine": "vulncheck"}, "credits": [{"lang": "en", "value": "Maxime ROSSI BELLOM", "type": "finder"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:13:14.231767Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:19.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:13:14.231767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:17:35.673Z"}}], "cna": {"title": "arduino-TuyaOpen TuyaIoT Out-of-Bounds Memory Read Information Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Maxime ROSSI BELLOM"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Tuya", "product": "arduino-TuyaOpen", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.1", "versionType": "semver"}]}], "datePublic": "2026-03-11T00:00:00.000Z", "references": [{"url": "https://src.tuya.com/announcement/32", "name": "Tuya SRC Security Advisory", "tags": ["vendor-advisory"]}, {"url": "https://github.com/tuya/arduino-TuyaOpen", "name": "arduino-TuyaOpen GitHub Repository", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/arduino-tuyaopen-tuyaiot-out-of-bounds-memory-read-information-disclosure", "name": "VulnCheck Advisory: arduino-TuyaOpen TuyaIoT Out-of-Bounds Memory Read Information Disclosure", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T13:35:46.217Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28521", "state": "PUBLISHED", "dateUpdated": "2026-03-16T14:20:19.227Z", "dateReserved": "2026-02-27T21:07:55.466Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-15T13:35:46.217Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuya:arduino-tuyaopen:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DCD3B50-3018-4B34-AB9B-16C0FB32AF4A", "versionEndExcluding": "1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "arduino-TuyaOpen before version 1.2.1 contains an out-of-bounds memory read vulnerability in the TuyaIoT component. An attacker who hijacks or controls the Tuya cloud service can issue malicious DP event data to victim devices, causing out-of-bounds memory access that may result in information disclosure or a denial-of-service condition."}], "id": "CVE-2026-28521", "lastModified": "2026-03-17T20:24:33.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:28.557", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/tuya/arduino-TuyaOpen"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://src.tuya.com/announcement/32"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/arduino-tuyaopen-tuyaiot-out-of-bounds-memory-read-information-disclosure"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "arduino-TuyaOpen", "source": "cna", "vendor": "Tuya"}, "product": "arduino-tuyaopen", "vendor": "tuya"}], "analysis": {"en": {"generated_at": "2026-03-17T21:51:36.653977+00:00", "value": {"mitigation_remediation": ["Upgrade the arduino\u2011TuyaOpen library to version 1.2.1 or later.", "Verify the installed library version and apply any subsequent security updates from the vendor as they become available."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Product: arduino\u2011TuyaOpen by Tuya. All releases older than 1.2.1 are affected. The advisory indicates that any device running the library prior to that version is vulnerable, while version 1.2.1 and later fix the issue.", "description_and_impact": "An out\u2011of\u2011bounds memory read occurs in the TuyaIoT component of the arduino\u2011TuyaOpen SDK before version 1.2.1. When a device receives specially crafted DP event data from a compromised or hijacked Tuya cloud service, the component accesses memory outside its bounds. This flaw is classified as CWE\u2011125. Resulting behaviors include the disclosure of the device's internal memory contents to an attacker and, in some cases, a denial\u2011of\u2011service condition that causes the device to crash or become unresponsive.", "risk_and_exploitability": "The CVSS score is 7.0, indicating a medium severity. The EPSS is below 1%, suggesting low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control or hijack the Tuya cloud infrastructure to push malicious DP data to the device. When such access is available, triggering the memory read is straightforward and may leak sensitive data or disrupt device operation."}}}}, "created": "2026-03-16T09:21:36.429397+00:00", "updated": "2026-03-23T14:01:42.339624+00:00", "vendors": ["tuya", "tuya$PRODUCT$arduino-tuyaopen"]}