CVE-2026-0918
HIGHTP-Link Tapo C100 v5 C220 v1 C520WS v2 - Unauthenticated Denial of Service via Large Content-Length Header
Title source: llmDescription
The Tapo C100 v5, C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable.
References (7)
Core 7
Core References
Various Sources patch
https://www.tp-link.com/us/support/download/tapo-c220/v1.60/
Various Sources patch
https://www.tp-link.com/us/support/download/tapo-c520ws/v2/
Various Sources patch
https://www.tp-link.com/en/support/download/tapo-c520ws/v2/
Various Sources vendor-advisory
https://www.tp-link.com/us/support/faq/4923/
Various Sources patch
https://www.tp-link.com/us/support/download/tapo-c100/v5/
Third Party Advisory third-party-advisory
https://www.crac-learning.com/post/smart-home-security-research-cve-2026-0918-assigned
Various Sources patch
https://www.tp-link.com/en/support/download/tapo-c220/v1/
Scores
CVSS v3
7.5
EPSS
0.0068
EPSS Percentile
47.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (5)
tp-link/tapo_c220_firmware
< 1.4.2
tp-link/tapo_c520ws_firmware
< 1.2.3
TP-Link Systems Inc./Tapo C100 v5
< 1.4.3 Build 251128
TP-Link Systems Inc./Tapo C220 v1
< 1.4.2 Build 251112
TP-Link Systems Inc./Tapo C520WS v2
< 1.2.3 Build 251114
Published
Jan 27, 2026
Tracked Since
Feb 18, 2026