Skip to main content

Mercusys AC12G CVE-2026-36605

| EUVDEUVD-2026-34144 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-03 mitre GHSA-j2fc-v5xj-h5gr
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:35 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
6.5 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.

AnalysisAI

Persistent denial-of-service in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows an unauthenticated adjacent-network attacker to crash the device by sending a low number of crafted, incomplete HTTP requests, rendering it unresponsive until physically power-cycled. The attack exploits uncontrolled resource consumption (CWE-400) in the router's HTTP service, which fails to safely handle malformed or truncated connections. No public exploit code or active exploitation has been identified at time of analysis, and SSVC signals confirm exploitation status as none.

Technical ContextAI

The vulnerability resides in the HTTP server component embedded in the Mercusys AC12G (EU) V1 router's firmware (AC12G(EU)_V1_200909). CWE-400 (Uncontrolled Resource Consumption) indicates the HTTP handler does not enforce limits on incomplete or stalled connections - likely holding sockets, threads, or memory allocations open without timeout or cleanup logic. A small number of such requests is sufficient to exhaust the available handler capacity, crashing the service and the device itself in a non-recoverable state (persistent crash requiring physical power cycling). The CVSS attack vector of Adjacent Network (AV:A) reflects that the router's HTTP management interface is typically reachable from LAN-side clients rather than the open internet, though guest networks or other adjacent segments may also provide access. CPE data provided (cpe:2.3:a:n/a:n/a) is non-informative and the specific product scope is established solely by the researcher advisory and MITRE report.

RemediationAI

No vendor-released patch has been identified at time of analysis; the only public reference is a researcher-published GitHub advisory, not a vendor security bulletin. Administrators should monitor the Mercusys official support portal for firmware updates addressing this issue and apply any released patch immediately. In the interim, a practical compensating control is to restrict access to the router's HTTP management interface to a specific trusted IP or MAC address using the router's built-in access control features, preventing arbitrary LAN-side clients from reaching the web interface - note this may limit remote administration convenience. Where possible, disabling the HTTP management interface entirely and relying solely on local console access reduces the attack surface, though this eliminates web-based management. Network segmentation to isolate untrusted LAN devices (e.g., IoT devices, guest clients) from reaching the router's management plane is the most broadly effective compensating measure. Physical access controls to facilitate rapid power cycling are advisable for devices in unattended deployments where recovery time is a concern.

Share

CVE-2026-36605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy