Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.
AnalysisAI
Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.
Technical ContextAI
The vulnerability is rooted in CWE-125 (Out-of-Bounds Read), where the embedded HTTP server on the Mercusys AC12G (EU) V1 - firmware version AC12G(EU)_V1_200909 - does not properly initialize or zero-fill the response buffer before writing error content for unmatched POST routes. When a request targets a path with no registered handler, the server copies or returns residual stack/heap memory into the HTTP response body, leaking up to 128 bytes of internal state. This class of bug is common in resource-constrained embedded firmware where dynamic memory allocation and buffer hygiene are handled manually without safe defaults. The NVD CPE (cpe:2.3:a:n/a:n/a) is non-specific and does not enumerate the affected firmware granularly; the exact affected build is AC12G(EU)_V1_200909 per the researcher advisory. Tags include 'Buffer Overflow,' though the root cause is more precisely an uninitialized-read/disclosure rather than a classic exploitable overflow leading to code execution.
RemediationAI
No vendor-released patch has been identified at the time of analysis - the Mercusys product page and official advisory channels were not referenced in the available intelligence, and the only technical reference is an independent researcher advisory. As a compensating control, administrators should restrict HTTP access to the router's management interface to trusted hosts only, ideally by placing the management plane on a dedicated VLAN or management network inaccessible to general LAN clients. Disabling remote HTTP management if enabled is also advisable. Since the attack requires adjacent network presence, strong network segmentation and Wi-Fi client isolation (where supported by the device) will materially limit exposure. Users should monitor Mercusys's official support channels at https://www.mercusys.com for any firmware update addressing this issue, and apply any released firmware upgrade promptly. The NVD entry is available at https://nvd.nist.gov/vuln/detail/CVE-2026-36613 for tracking patch availability.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34152
GHSA-fvhh-w2mm-jjhf