Denial-of-Service Vulnerability via Malformed IPv4 Fragmentation Handling in TP-Link Tapo C200
Summary
| CVE | CVE-2026-12760 |
|---|---|
| State | PUBLISHED |
| Assigner | TPLink |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 19:17:08 UTC |
| Updated | 2026-06-29 16:17:25 UTC |
| Description | A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording. |
Risk And Classification
Primary CVSS: v4.0 7.1 HIGH from f23511db-6c3e-4e32-a477-6aa17d310630
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.002220000 probability, percentile 0.127220000 (date 2026-06-30)
Problem Types: CWE-770 | CWE-770 CWE-770 Allocation of resources without limits or throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | f23511db-6c3e-4e32-a477-6aa17d310630 | Secondary | 7.1 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 7.1 | HIGH | CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
Attack Vector
AdjacentAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
AdjacentAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Tp-link | Tapo C200 | 3 | All | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.11 | build_231115 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.13 | build_240327 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.14 | build_240513 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.15 | build_240715 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.3 | build_230228 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.4 | build_230424 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.5 | build_230717 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.7 | build_230920 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.3.9 | build_231019 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.4.1 | build_241212 | All | All |
| Operating System | Tp-link | Tapo C200 Firmware | 1.4.2 | build_250313 | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TP-Link Systems Inc. | Tapo C200 V3 | affected 1.4.4 Build 250922 custom | NVMP |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.tp-link.com/en/support/download/tapo-c200/v3 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Release Notes |
| www.tp-link.com/us/support/faq/5143 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Vendor Advisory |
| www.tp-link.com/us/support/download/tapo-c200/v3 | f23511db-6c3e-4e32-a477-6aa17d310630 | www.tp-link.com | Release Notes |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Arjan Chadha, Keysight Technologies (en)
There are currently no legacy QID mappings associated with this CVE.