CVE-2026-0918 is a vulnerability identified in TP-Link Systems Inc.'s Tapo C220 v1 and C520WS v2 IP cameras. The root cause is a NULL pointer dereference triggered by the device's HTTP service when processing POST requests with an excessively large Content-Length header. Specifically, the HTTP service attempts to allocate memory based on the Content-Length value; if this allocation fails, the service dereferences a NULL pointer, causing the main process to crash. This crash results in a denial-of-service (DoS) condition, as the device restarts automatically but can be kept in a continuous reboot loop by repeated malicious requests. The vulnerability can be exploited by an unauthenticated attacker remotely, without requiring any user interaction, making it relatively easy to trigger. The CVSS 4.0 score is 7.1 (high severity), reflecting the significant impact on availability but no impact on confidentiality or integrity. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-476 (NULL Pointer Dereference), a common programming error leading to crashes or unexpected behavior.

For European organizations deploying TP-Link Tapo C220 v1 or C520WS v2 cameras, this vulnerability poses a risk primarily to the availability of these devices. As these cameras are often used for physical security and surveillance, a denial-of-service could result in temporary loss of video monitoring capabilities, potentially exposing facilities to security blind spots. Repeated exploitation could cause prolonged outages, impacting incident response and security operations. While confidentiality and integrity are not directly affected, the disruption of surveillance services can have secondary security implications. Organizations relying on these devices in critical infrastructure, retail, or public sector environments may face operational risks and compliance challenges if surveillance is interrupted. The ease of exploitation by unauthenticated attackers increases the threat level, especially in environments where these devices are accessible from untrusted networks or the internet.

Given the absence of an official patch, organizations should implement network-level mitigations to reduce exposure. This includes restricting access to the cameras' HTTP service via firewall rules, allowing only trusted management networks or VPN connections. Deploying intrusion detection or prevention systems (IDS/IPS) to detect and block anomalous HTTP POST requests with unusually large Content-Length headers can help prevent exploitation. Regular monitoring of device availability and logs for repeated crashes or restarts is advised to detect potential attacks early. Where possible, segment the camera network from critical IT infrastructure to limit impact. Organizations should engage with TP-Link for firmware updates or advisories and plan for timely patching once available. Additionally, consider alternative camera models with better security postures if these devices are critical to operations.