CVE-2026-1871 HIGH

CVE-2026-1871: Authenticated Stack-based Buffer Overflow in RTSP Authentication of Tapo C200

Vendor Tp-Link Systems Inc.
Product Tapo C200 v5
Weakness CWE-121
Published June 2, 2026
Last update June 2, 2026

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera’s live video stream or management interface until the service restarts.

Key dates

02Disclosure timeline

June 2, 2026 CVE published
June 2, 2026 Record updated