Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.
AnalysisAI
Information disclosure in Mercusys AC12G (EU) V1 router firmware AC12G(EU)_V1_200909 leaks 128 bytes of uninitialized memory when the UPnP service on port 1900 receives POST requests lacking a SOAPAction header, enabling unauthenticated adjacent-network attackers to harvest internal buffer contents. The flaw is rated CVSS 7.3 (low impact across CIA), and no public exploit identified at time of analysis, though the referenced GitHub advisory documents the issue with reproduction details.
Technical ContextAI
The vulnerability resides in the UPnP/SSDP handler on TCP/UDP port 1900, which is part of the device's automated service-discovery stack. The root cause maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): when a POST request arrives without the expected SOAPAction header, the handler still allocates and returns a 128-byte response buffer but fails to initialize it, so prior heap/stack contents are echoed back to the requester. UPnP is intended for LAN service negotiation, and Mercusys AC12G is a consumer dual-band Wi-Fi router built on a typical embedded Linux firmware where such uninitialized-memory leaks frequently expose session tokens, credentials, or pointer values useful for chaining further attacks. The provided CPE string (cpe:2.3:a:n/a:n/a) is a placeholder and does not enumerate the actual hardware/firmware CPE.
RemediationAI
No vendor-released patch identified at time of analysis - Mercusys has not published an advisory or fixed firmware in the supplied references, so administrators should monitor https://www.mercusys.com for firmware updates beyond AC12G(EU)_V1_200909 and consult the researcher advisory at https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36611.md for current status. As compensating controls, disable the UPnP service on the router (this breaks automatic port-mapping for games, VoIP, and some peer-to-peer applications but eliminates the vulnerable listener), or block inbound traffic to TCP/UDP port 1900 from the LAN at a downstream firewall or managed switch where feasible (this also breaks UPnP discovery for clients on that segment). Segregate untrusted devices (guest Wi-Fi, IoT) onto a separate VLAN that cannot reach the router's management interface, and consider replacing the device if vendor support has lapsed.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34150
GHSA-rh54-5hmc-6qjg