CVE-2026-31256
Analyzed Analyzed - Analysis Complete
Null Pointer Dereference in MERCURY MIPC252W RTSP Causes Crash

Publication date: 2026-04-27

Last updated on: 2026-05-05

Assigner: MITRE

Description
A null pointer dereference vulnerability exists in the RTSP service of the MERCURY MIPC252W 1.0.5 Build 230306 Rel.79931n. During the processing of a SETUP request for the path rtsp://<IP>:554/stream1/track2, the device fails to properly validate the Transport header field. When this header is improperly constructed, the RTSP service can dereference a NULL pointer during request parsing. Successful exploitation causes the device to crash and automatically reboot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31256
EUVD
EUVD-2026-25899
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mercurycom mipc252w_firmware 1.0.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31256 is a null pointer dereference vulnerability in the RTSP service of the MERCURY MIPC252W IP camera, specifically in firmware version 1.0.5 Build 230306 Rel.79931n.

The flaw occurs during the processing of a SETUP request for the RTSP path rtsp://<IP>:554/stream1/track2, where the device fails to properly validate the Transport header field.

If the Transport header is malformed, such as being present but empty, the RTSP service dereferences a NULL pointer during request parsing.

Successful exploitation requires an authenticated attacker to establish a legitimate RTSP session and then send a malformed SETUP request with an empty Transport header for the second media track.

This causes the RTSP service to crash and the device to automatically reboot, resulting in denial of service.

Compliance Impact

The vulnerability causes denial of service by crashing and rebooting the device, interrupting RTSP streaming and causing the camera to appear offline. However, there is no indication from the provided information that this vulnerability impacts confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized data access or data leakage, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal and sensitive data confidentiality and integrity.

Nevertheless, the availability impact caused by this vulnerability could indirectly affect compliance if the device is part of a critical system requiring continuous operation, but no explicit compliance impact is stated in the provided information.

Impact Analysis

Exploitation of this vulnerability causes the RTSP service on the MERCURY MIPC252W device to crash and automatically reboot.

This leads to denial of service by interrupting RTSP streaming and disconnecting the camera from its mobile application.

The device appears offline during this time, affecting availability and reliability.

Repeated exploitation can cause sustained service disruption, making the device unusable for its intended purpose.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the conditions that trigger the null pointer dereference in the RTSP service of the MERCURY MIPC252W device. Specifically, an authenticated RTSP session must be established, followed by sending a malformed SETUP request for the second media track (track2) with an empty Transport header.

A proof-of-concept Python script is available that demonstrates the full RTSP request sequence, including OPTIONS, DESCRIBE, SETUP for track1 (normal), SETUP for track2 (with an empty Transport header), PLAY, and TEARDOWN requests. Running this script against the device will cause it to crash and reboot if vulnerable.

To manually test or detect the vulnerability, you can use tools like curl or specialized RTSP clients to send a SETUP request with an empty Transport header to the RTSP path rtsp://<IP>:554/stream1/track2 after authenticating. Monitoring the device for crashes or reboots after sending such a request indicates the presence of the vulnerability.

  • Establish an authenticated RTSP session to the device.
  • Send a SETUP request for rtsp://<IP>:554/stream1/track2 with an empty Transport header.
  • Observe if the device crashes or reboots, indicating the vulnerability.
Mitigation Strategies

Immediate mitigation steps include preventing exploitation by restricting access to the RTSP service on the MERCURY MIPC252W device.

  • Limit RTSP service access to trusted and authenticated users only.
  • Implement network-level controls such as firewall rules to block unauthorized or untrusted IP addresses from accessing port 554.
  • Monitor the device for unexpected crashes or reboots that may indicate exploitation attempts.

Since the vulnerability arises from improper validation of the Transport header in RTSP SETUP requests, avoid sending malformed RTSP requests and ensure that only legitimate RTSP clients are allowed to communicate with the device.

Check with the device vendor for firmware updates or patches that address this vulnerability and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31256. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart