CVE-2026-6239 (GCVE-0-2026-6239)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:50 – Updated: 2026-06-05 23:50
VLAI
Title
Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS
Summary
A stack‑based
buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where
the device fails to properly validate the number of XML user nodes during
request processing. An authenticated attacker can send a specially crafted
ONVIF request containing an excessive number of user entries to trigger memory
corruption.
Successful
exploitation may cause the ONVIF management service to terminate unexpectedly,
resulting in a denial‑of‑service (DoS) condition that disrupts device
configuration and management functions.
Severity
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.tp-link.com/us/support/download/tapo-… | patch |
| https://www.tp-link.com/en/support/download/tapo-… | patch |
| https://www.tp-link.com/us/support/faq/5120/ | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link Systems Inc. | Tapo C520WS v2 |
Affected:
0 , < 1.2.6 Build 260528
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tapo C520WS v2",
"vendor": "TP-Link Systems Inc.",
"versions": [
{
"lessThan": "1.2.6 Build 260528",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stack\u2011based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\u003c/p\u003e\u003cp\u003e\n\n\u003c/p\u003e\u003cp\u003eSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\nconfiguration and management functions.\u003c/p\u003e"
}
],
"value": "A stack\u2011based\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\nthe device fails to properly validate the number of XML user nodes during\nrequest processing. An authenticated attacker can send a specially crafted\nONVIF request containing an excessive number of user entries to trigger memory\ncorruption.\n\n\n\n\n\n\n\n\n\nSuccessful\nexploitation may cause the ONVIF management service to terminate unexpectedly,\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\nconfiguration and management functions."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:50:59.001Z",
"orgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"shortName": "TPLink"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"patch"
],
"url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.tp-link.com/us/support/faq/5120/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "f23511db-6c3e-4e32-a477-6aa17d310630",
"assignerShortName": "TPLink",
"cveId": "CVE-2026-6239",
"datePublished": "2026-06-05T23:50:59.001Z",
"dateReserved": "2026-04-13T17:10:22.074Z",
"dateUpdated": "2026-06-05T23:50:59.001Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-6239\",\"sourceIdentifier\":\"f23511db-6c3e-4e32-a477-6aa17d310630\",\"published\":\"2026-06-06T00:16:40.977\",\"lastModified\":\"2026-06-06T00:16:40.977\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A stack\u2011based\\nbuffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where\\nthe device fails to properly validate the number of XML user nodes during\\nrequest processing. An authenticated attacker can send a specially crafted\\nONVIF request containing an excessive number of user entries to trigger memory\\ncorruption.\\n\\n\\n\\n\\n\\n\\n\\n\\n\\nSuccessful\\nexploitation may cause the ONVIF management service to terminate unexpectedly,\\nresulting in a denial\u2011of\u2011service (DoS) condition that disrupts device\\nconfiguration and management functions.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"references\":[{\"url\":\"https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes\",\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\"},{\"url\":\"https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes\",\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\"},{\"url\":\"https://www.tp-link.com/us/support/faq/5120/\",\"source\":\"f23511db-6c3e-4e32-a477-6aa17d310630\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…