CVE-2026-36602
Mercusys AC12G (EU) V1 Firmware Kernel Memory Disclosure
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mercusys | ac12g | ac12g(eu)_v1_200909 |
| mercusys | ac12g | ac12g(eu)_v1_210128 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36602 affects the Mercusys AC12G (EU) V1 router with specific firmware versions. The vulnerability is in the UPnP GetStatusInfo action of the WANIPConnection service, which leaks kernel memory layout details to unauthenticated attackers on the adjacent network.
Specifically, the NewConnectionStatus field in the SOAP response returns a raw MIPS KSEG0 kernel pointer instead of a status string. This pointer reveals memory addresses that can defeat Address Space Layout Randomization (ASLR) and aid further exploitation.
The issue arises because the handler passes a pointer value through string formatting without dereferencing it. Additionally, the uptime field contains a trailing 'l', indicating a printf format specifier mismatch.
Since the underlying VxWorks operating system lacks ASLR, the leaked addresses remain stable and provide a reliable memory map, which could be exploited for code execution if combined with future overflow vulnerabilities.
The endpoint is accessible without authentication, as is typical for UPnP on the LAN.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker on the adjacent network to obtain kernel memory layout information by leaking a raw kernel pointer.
By revealing stable kernel memory addresses, the attacker can defeat ASLR protections and gain a reliable memory map, which can be used to facilitate further exploitation such as code execution.
If combined with other vulnerabilities like buffer overflows, this could lead to remote code execution on the affected router, potentially compromising the device and the network it protects.
Since the affected product is end-of-life with no planned fixes, the risk remains unless mitigated by other means.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending a UPnP GetStatusInfo action request to the WANIPConnection service on the Mercusys AC12G (EU) V1 router and inspecting the SOAP response.
If the NewConnectionStatus field in the response contains a raw MIPS KSEG0 kernel pointer (a memory address) instead of a normal status string, this indicates the presence of the vulnerability.
A possible command to test this is to use a UPnP client or a tool like curl or a custom SOAP request script to invoke the GetStatusInfo action and parse the response for suspicious kernel pointer values.
- Send a SOAP request to the router's UPnP WANIPConnection service endpoint targeting the GetStatusInfo action.
- Check the NewConnectionStatus field in the SOAP response for raw kernel pointer values (e.g., hexadecimal addresses typical of MIPS KSEG0 memory region).
What immediate steps should I take to mitigate this vulnerability?
Since the affected Mercusys AC12G (EU) V1 router firmware is end-of-life with no planned fixes, immediate mitigation steps focus on reducing exposure.
- Disable UPnP on the router if possible to prevent unauthenticated access to the vulnerable GetStatusInfo action.
- Restrict network access to the router's UPnP service to trusted devices only, ideally isolating the router from untrusted adjacent networks.
- Monitor network traffic for suspicious UPnP requests targeting the WANIPConnection service.
Long term, consider replacing the device with a supported router that receives security updates.