Skip to main content

Meari IoT SDK CVE-2026-33361

| EUVDEUVD-2026-29105 HIGH
Inadequate Encryption Strength (CWE-326)
2026-05-11 runZero GHSA-pfqv-vhwj-2rjw
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 16:46 vuln.today
CVE Published
May 11, 2026 - 16:03 nvd
HIGH 7.5

DescriptionCVE.org

In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.

AnalysisAI

Weak XOR obfuscation in Meari IoT SDK's libmrplayer.so library enables remote unauthenticated attackers to decrypt baby monitor image snapshots from CloudEdge 5.5.0, Arenti 1.8.1, and white-label apps (versions ≤1.8.x). The '.jpgx3' file format applies reversible XOR encryption only to the first 1024 bytes using a predictable key derivation model, exposing confidential video surveillance imagery. EPSS data unavailable; no CISA KEV listing or public exploit code confirmed, though proof-of-concept research published by runZero demonstrates practical decryption. CVSS 7.5 reflects HIGH confidentiality impact with network-accessible attack surface requiring no authentication.

Technical ContextAI

The vulnerability exists in the Meari IoT SDK's image handling library (libmrplayer.so), specifically affecting the proprietary '.jpgx3' file format used for baby monitor snapshots. This format implements CWE-326 (Inadequate Encryption Strength) through a flawed obfuscation scheme that applies XOR encryption only to the initial 1024-byte header rather than the entire file. The key derivation model follows a predictable pattern that can be reverse-engineered from the SDK implementation. The affected CPE (cpe:2.3:a:meari:com.meari.sdk) indicates this is a software library vulnerability impacting multiple white-label IoT camera applications that bundle the Meari SDK, including CloudEdge and Arenti branded products. XOR encryption with predictable keys provides no meaningful cryptographic protection-the algorithm is fully reversible once the key generation pattern is understood, making this effectively plaintext storage with trivial obfuscation.

RemediationAI

Primary mitigation requires upgrading to a patched version of the Meari IoT SDK that implements AES-256 or equivalent strong encryption for '.jpgx3' files-specific patched SDK version not confirmed from available data; consult vendor advisory at https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361/ for update availability. For CloudEdge and Arenti users, update mobile applications to versions beyond build 220 when vendor releases patches. Interim compensating controls: (1) Disable cloud storage of baby monitor snapshots in app settings and use local-only storage, accepting trade-off of reduced remote access convenience; (2) Restrict network access to IoT camera devices using firewall rules to block outbound connections to cloud endpoints (ports 443/TCP, 8883/TCP typically), which prevents image upload but breaks remote monitoring functionality; (3) Deploy network segmentation isolating camera VLAN from other networks to limit lateral movement if images are intercepted, though this does not prevent initial exfiltration. Side effects: local-only storage requires manual backup, network blocking eliminates mobile app access when away from home.

Share

CVE-2026-33361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy