CVE-2026-0918 is a vulnerability identified in TP-Link Systems Inc.'s Tapo C220 v1 and C520WS v2 IP cameras. The root cause is a NULL pointer dereference triggered by the device's HTTP service when processing POST requests that specify an excessively large Content-Length header. This improper input validation leads to a failed memory allocation attempt, causing the main service process to crash. The device firmware automatically restarts the service upon failure, but an attacker can repeatedly send such malicious requests to induce continuous crashes, resulting in a persistent denial of service condition. The vulnerability requires no authentication or user interaction, making it exploitable remotely by any unauthenticated attacker with network access to the device. The CVSS v4.0 score of 7.1 reflects a high severity, primarily due to the ease of exploitation and the impact on availability. The vulnerability is categorized under CWE-476 (NULL Pointer Dereference), which typically results in crashes or unexpected behavior. No patches have been linked yet, and no known exploits have been reported in the wild. The attack surface is limited to the affected camera models' HTTP service, which is commonly exposed on local networks or potentially over the internet if devices are misconfigured.

The primary impact of CVE-2026-0918 is denial of service, which can disrupt the availability of surveillance and monitoring functions provided by the affected TP-Link Tapo cameras. For organizations relying on these devices for physical security, operational monitoring, or remote surveillance, repeated service crashes can lead to blind spots and gaps in security coverage. This may increase the risk of undetected intrusions or operational failures. The vulnerability does not directly compromise confidentiality or integrity, but the loss of availability can have downstream effects on incident response and situational awareness. In environments where these cameras are deployed at scale, such as corporate campuses, retail stores, or critical infrastructure sites, the ability for an unauthenticated attacker to cause persistent outages could be leveraged as part of a broader attack strategy. Additionally, the automatic restart behavior may mask the underlying issue, delaying detection and remediation. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the likelihood of opportunistic attacks, especially in networks with exposed or poorly segmented IoT devices.

To mitigate CVE-2026-0918, organizations should first verify if they are using the affected TP-Link Tapo C220 v1 or C520WS v2 camera models. Until official patches are released, network-level controls are critical. Restrict access to the cameras' HTTP service by implementing network segmentation and firewall rules that limit incoming traffic to trusted management hosts only. Disable remote access features or VPN into the local network to manage devices securely. Monitor network traffic for abnormal POST requests with unusually large Content-Length headers as indicators of attempted exploitation. Employ intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect and block such malformed HTTP requests. Regularly check for firmware updates from TP-Link and apply patches promptly once available. Consider replacing vulnerable devices if they are critical to security operations and cannot be adequately protected by network controls. Additionally, maintain an inventory of IoT devices and enforce strict configuration management to minimize exposure.