Skip to main content

Mercusys AC12G CVE-2026-36613

| EUVDEUVD-2026-34152 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-03 mitre GHSA-fvhh-w2mm-jjhf
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 03, 2026 - 20:36 vuln.today
CVSS changed
Jun 03, 2026 - 19:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 03, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers.

AnalysisAI

Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.

Technical ContextAI

The vulnerability is rooted in CWE-125 (Out-of-Bounds Read), where the embedded HTTP server on the Mercusys AC12G (EU) V1 - firmware version AC12G(EU)_V1_200909 - does not properly initialize or zero-fill the response buffer before writing error content for unmatched POST routes. When a request targets a path with no registered handler, the server copies or returns residual stack/heap memory into the HTTP response body, leaking up to 128 bytes of internal state. This class of bug is common in resource-constrained embedded firmware where dynamic memory allocation and buffer hygiene are handled manually without safe defaults. The NVD CPE (cpe:2.3:a:n/a:n/a) is non-specific and does not enumerate the affected firmware granularly; the exact affected build is AC12G(EU)_V1_200909 per the researcher advisory. Tags include 'Buffer Overflow,' though the root cause is more precisely an uninitialized-read/disclosure rather than a classic exploitable overflow leading to code execution.

RemediationAI

No vendor-released patch has been identified at the time of analysis - the Mercusys product page and official advisory channels were not referenced in the available intelligence, and the only technical reference is an independent researcher advisory. As a compensating control, administrators should restrict HTTP access to the router's management interface to trusted hosts only, ideally by placing the management plane on a dedicated VLAN or management network inaccessible to general LAN clients. Disabling remote HTTP management if enabled is also advisable. Since the attack requires adjacent network presence, strong network segmentation and Wi-Fi client isolation (where supported by the device) will materially limit exposure. Users should monitor Mercusys's official support channels at https://www.mercusys.com for any firmware update addressing this issue, and apply any released firmware upgrade promptly. The NVD entry is available at https://nvd.nist.gov/vuln/detail/CVE-2026-36613 for tracking patch availability.

Share

CVE-2026-36613 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy