How is CVE-2026-36611 exploited?

Network reachability (required): The attacker must reach the device's UPnP service on port 1900 over the network; exposure increases significantly if this port is accessible from untrusted network segments. Authentication (not-required): No credentials or session token are needed; any unauthenticated party that can send a POST request to port 1900 can trigger the memory disclosure. Victim interaction (not-required): No user or administrator action is required; the vulnerable response is returned automatically by the UPnP service upon receiving a malformed POST request. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout beyond sending a single crafted POST request.

What is the impact of CVE-2026-36611?

The attacker reads 128 bytes of uninitialized heap or stack memory, which may contain fragments of runtime data such as memory addresses, session identifiers, or cryptographic material. Partial memory address exposure can assist an attacker in bypassing address-space layout randomization if further exploitation of the device is attempted. Data integrity is partially at risk (CVSS I:L), meaning the attacker gains a foothold that may allow limited modification of device state or behavior. Service availability is partially affected (CVSS A:L), with the possibility of minor disruption to UPnP-dependent functionality on the device.

Back to search

HIGHCVE-2026-36611Published 2026-06-03Modified 2026-06-03CNA mitre

CVE-2026-36611: Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers

Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An information disclosure vulnerability affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. When the device's UPnP service on port 1900 receives a POST request without a SOAPAction header, it returns 128 bytes of uninitialized memory to the requester, no authentication required. Successful exploitation leaks internal memory contents to any attacker who can send a crafted HTTP POST to the UPnP port, which may expose sensitive runtime data such as addresses, keys, or other in-memory values. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-36611 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against customer images and container pipelines, including custom-built images that incorporate affected firmware or software derived from affected components.

Available

Triage

HarborGuard triage capability scores this CVE at 7.3 HIGH using the published CVSS v3.1 vector and can weight that score against each customer environment's compliance policy to route alerts to the appropriate team inbox.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's UPnP service on port 1900 over the network; exposure increases significantly if this port is accessible from untrusted network segments.
AuthenticationNot required
No credentials or session token are needed; any unauthenticated party that can send a POST request to port 1900 can trigger the memory disclosure.
Victim interactionNot required
No user or administrator action is required; the vulnerable response is returned automatically by the UPnP service upon receiving a malformed POST request.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout beyond sending a single crafted POST request.

Blast Radius

The attacker reads 128 bytes of uninitialized heap or stack memory, which may contain fragments of runtime data such as memory addresses, session identifiers, or cryptographic material.
Partial memory address exposure can assist an attacker in bypassing address-space layout randomization if further exploitation of the device is attempted.
Data integrity is partially at risk (CVSS I:L), meaning the attacker gains a foothold that may allow limited modification of device state or behavior.
Service availability is partially affected (CVSS A:L), with the possibility of minor disruption to UPnP-dependent functionality on the device.

How HarborGuard Handles This

Available on HarborGuard: this CVE is being actively monitored with no upstream fix currently published. Each ingest cycle, HarborGuard re-checks the advisory so that a patched-image rebuild can be offered the moment Mercusys publishes a corrected firmware or a downstream package fix lands. In the interim, compensating controls that customers can apply include network-policy isolation to block untrusted hosts from reaching UPnP port 1900, egress filtering to prevent the device or containers bridging to it from returning unexpected traffic to external segments, and feature-flag or firewall gating to disable UPnP entirely where it is not operationally required. For customers who opt into auto-remediation, the full rebuild, regression test run, and PR flow will trigger automatically against affected workloads once a fix version is available.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

github.com

Metrics

Get notified