CVE-2026-31256
Null Pointer Dereference in MERCURY MIPC252W RTSP Causes Crash
Publication date: 2026-04-27
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercurycom | mipc252w_firmware | 1.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31256 is a null pointer dereference vulnerability in the RTSP service of the MERCURY MIPC252W IP camera, specifically in firmware version 1.0.5 Build 230306 Rel.79931n.
The flaw occurs during the processing of a SETUP request for the RTSP path rtsp://<IP>:554/stream1/track2, where the device fails to properly validate the Transport header field.
If the Transport header is malformed, such as being present but empty, the RTSP service dereferences a NULL pointer during request parsing.
Successful exploitation requires an authenticated attacker to establish a legitimate RTSP session and then send a malformed SETUP request with an empty Transport header for the second media track.
This causes the RTSP service to crash and the device to automatically reboot, resulting in denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes denial of service by crashing and rebooting the device, interrupting RTSP streaming and causing the camera to appear offline. However, there is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data.
Since the vulnerability does not lead to unauthorized data access or data leakage, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal and sensitive data confidentiality and integrity.
Nevertheless, the availability impact caused by this vulnerability could indirectly affect compliance if the device is part of a critical system requiring continuous operation, but no explicit compliance impact is stated in the provided information.
How can this vulnerability impact me? :
Exploitation of this vulnerability causes the RTSP service on the MERCURY MIPC252W device to crash and automatically reboot.
This leads to denial of service by interrupting RTSP streaming and disconnecting the camera from its mobile application.
The device appears offline during this time, affecting availability and reliability.
Repeated exploitation can cause sustained service disruption, making the device unusable for its intended purpose.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the conditions that trigger the null pointer dereference in the RTSP service of the MERCURY MIPC252W device. Specifically, an authenticated RTSP session must be established, followed by sending a malformed SETUP request for the second media track (track2) with an empty Transport header.
A proof-of-concept Python script is available that demonstrates the full RTSP request sequence, including OPTIONS, DESCRIBE, SETUP for track1 (normal), SETUP for track2 (with an empty Transport header), PLAY, and TEARDOWN requests. Running this script against the device will cause it to crash and reboot if vulnerable.
To manually test or detect the vulnerability, you can use tools like curl or specialized RTSP clients to send a SETUP request with an empty Transport header to the RTSP path rtsp://<IP>:554/stream1/track2 after authenticating. Monitoring the device for crashes or reboots after sending such a request indicates the presence of the vulnerability.
- Establish an authenticated RTSP session to the device.
- Send a SETUP request for rtsp://<IP>:554/stream1/track2 with an empty Transport header.
- Observe if the device crashes or reboots, indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing exploitation by restricting access to the RTSP service on the MERCURY MIPC252W device.
- Limit RTSP service access to trusted and authenticated users only.
- Implement network-level controls such as firewall rules to block unauthorized or untrusted IP addresses from accessing port 554.
- Monitor the device for unexpected crashes or reboots that may indicate exploitation attempts.
Since the vulnerability arises from improper validation of the Transport header in RTSP SETUP requests, avoid sending malformed RTSP requests and ensure that only legitimate RTSP clients are allowed to communicate with the device.
Check with the device vendor for firmware updates or patches that address this vulnerability and apply them as soon as they become available.