CVE-2026-12760 | A denial-of-service (DoS) vulnerability has been identified … | CVSS 7.1 HIGH

Description

A denial-of-service (DoS) vulnerability has been identified in Tapo C200 v3 in the network packet handling logic due to improper handling of IPv4 fragmented packets. An unauthenticated adjacent attacker can send crafted packets to cause excessive resource consumption, leading to instability of the device.Successful exploitation can remotely trigger a temporary denial-of-service condition, causing the camera to become unresponsive and resulting in intermittent loss of video monitoring and recording.

Metadata

CVE ID: CVE-2026-12760
State: PUBLISHED
Assigner: TPLink
Reserved: 2026-06-19 21:06 UTC
Published: 2026-06-24 18:10 UTC
Last updated: 2026-06-24 18:53 UTC
Primary CWE: CWE-770
CWE-770 Allocation of resources without limits or throttling
Vendor / Product: TP-Link Systems Inc. / Tapo C200 v3
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
TP-Link Systems Inc.	Tapo C200 v3	NVMP	0 < 1.4.4 Build 250922

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	CWE-770 Allocation of resources without limits or throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (3)