HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-1871Published Modified CNA TPLink

CVE-2026-1871: Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200

TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
1.4.4 Build 260527 Rel.28339n
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the RTSP authentication handler of the TP-Link Tapo C200 v5 IP camera. The flaw is reachable from an adjacent network (LAN, Wi-Fi, or VPN segment) without any credentials, by sending a crafted Authorization header that exceeds the expected field length. Successful exploitation crashes the RTSP core service and triggers an automatic device reboot, denying access to the live video stream and management interface until the service recovers. A patched-image rebuild at firmware version 1.4.4 Build 260527 Rel.28339n is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle or reference affected Tapo C200 firmware layers. Any image carrying a component version below 1.4.4 Build 260527 Rel.28339n is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are sent to the appropriate team inbox within each customer organization based on the policy rules they have configured.

Available
Patch

A patched-image rebuild pinned to firmware version 1.4.4 Build 260527 Rel.28339n is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on the same adjacent network segment (local LAN, Wi-Fi subnet, or VPN) as the camera; remote internet-based exploitation is not possible with this vector.

  • AuthenticationNot required

    No credentials are needed; the overflow is triggered during the authentication handshake itself, before any account validation occurs.

  • Victim interactionNot required

    No user action is required; the attacker sends a crafted RTSP request directly to the device.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring no race conditions, memory layout knowledge, or other environmental preconditions.

Blast Radius

  • Crashes the RTSP core service process on the camera, immediately terminating the live video stream for all connected viewers.
  • Triggers an automatic full device reboot, cutting off access to both the video feed and the camera management interface for the duration of the restart cycle.
  • Repeated exploitation keeps the device in a reboot loop, effectively taking the camera offline as a persistent denial-of-service condition.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching any image referencing an affected Tapo C200 v5 firmware version against the published advisory. Because a fix exists at version 1.4.4 Build 260527 Rel.28339n, a rebuilt image at that version is available for affected environments. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs a regression test pass, and opens a pull request against the affected workload; for HIGH-severity issues, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. For environments where auto-remediation is not enabled, the triage alert is routed to the configured team inbox so engineers can act manually. In the interim, compensating controls worth considering include network-policy rules that restrict RTSP port access (typically TCP 554) to trusted client addresses only, and VLAN or firewall segmentation to limit the set of hosts that can reach the camera on the local network.

See how HarborGuard automates this

Fix available

1.4.4 Build 260527 Rel.28339n
Patch commits
Affected packages
  • TP-Link Systems Inc. / Tapo C200 v5
    < 1.4.4 Build 260527 Rel.28339n (from 0)
CVSS Vector
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References