CVE-2026-31256 Overview
A null pointer dereference vulnerability exists in the RTSP (Real-Time Streaming Protocol) service of the MERCURY MIPC252W IP camera. The vulnerability is triggered during the processing of a SETUP request targeting the path rtsp://<IP>:554/stream1/track2. When the device receives a malformed Transport header field, the RTSP service fails to properly validate the input before dereferencing the resulting pointer. Successful exploitation causes the device to crash and automatically reboot, resulting in a denial of service condition.
Critical Impact
Remote attackers can repeatedly crash and reboot the MERCURY MIPC252W camera without authentication, disrupting video surveillance capabilities and potentially creating security blind spots.
Affected Products
- MERCURY MIPC252W firmware version 1.0.5 Build 230306 Rel.79931n
Discovery Timeline
- 2026-04-27 - CVE-2026-31256 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31256
Vulnerability Analysis
This vulnerability is classified as CWE-476 (Null Pointer Dereference), a memory corruption issue that occurs when a program attempts to dereference a pointer that has a null value. In the context of the MERCURY MIPC252W camera, the RTSP service handles incoming streaming requests but lacks adequate input validation for the Transport header field within SETUP requests.
The RTSP protocol is commonly used in IP cameras to establish and control media sessions. When processing a SETUP request, the camera parses various headers including the Transport header, which specifies how the media stream should be delivered. The vulnerability manifests when this header is improperly constructed or contains unexpected values, causing the parsing logic to produce a null pointer that is subsequently dereferenced.
Root Cause
The root cause is improper input validation in the RTSP service request handler. Specifically, the code responsible for parsing the Transport header field does not verify that the parsed result is a valid, non-null pointer before attempting to access its contents. This missing null check allows a crafted SETUP request to trigger the null pointer dereference condition.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the camera's RTSP port (typically TCP port 554) can send a specially crafted SETUP request with a malformed Transport header. The attack path involves:
- Establishing a TCP connection to the target camera on port 554
- Initiating an RTSP session with a DESCRIBE request
- Sending a malicious SETUP request for stream1/track2 with an improperly constructed Transport header
- The RTSP service parses the malformed header and attempts to dereference the resulting null pointer
- The null pointer dereference causes a crash, triggering an automatic device reboot
The vulnerability is exploitable remotely without authentication. For detailed technical information about the vulnerability, see the GitHub documentation reference.
Detection Methods for CVE-2026-31256
Indicators of Compromise
- Repeated unexpected reboots of MERCURY MIPC252W cameras
- Network traffic showing malformed RTSP SETUP requests targeting port 554
- Gaps in video surveillance footage coinciding with device restarts
- RTSP connection attempts with unusual or malformed Transport header values
Detection Strategies
- Monitor network traffic for anomalous RTSP SETUP requests containing malformed Transport headers
- Implement intrusion detection rules to identify patterns of repeated RTSP connections followed by device disconnections
- Configure logging on network perimeter devices to capture RTSP traffic to affected camera models
- Deploy network-based anomaly detection to identify denial of service patterns against IoT devices
Monitoring Recommendations
- Enable comprehensive logging for RTSP traffic on network security appliances
- Set up alerts for unexpected camera reboots or connectivity losses
- Monitor for high volumes of RTSP requests from single source IPs targeting camera infrastructure
- Implement baseline monitoring for normal RTSP traffic patterns to detect anomalies
How to Mitigate CVE-2026-31256
Immediate Actions Required
- Isolate affected MERCURY MIPC252W cameras from untrusted networks
- Implement network segmentation to restrict access to RTSP services (port 554)
- Configure firewall rules to allow RTSP access only from trusted IP addresses
- Monitor for firmware updates from the vendor
Patch Information
No vendor patch information is currently available. Monitor the vendor's official channels for security updates addressing this vulnerability. Additional technical details are available in the GitHub documentation reference.
Workarounds
- Restrict network access to the RTSP service using firewall rules or network segmentation
- Place affected cameras on isolated VLAN segments with strict access controls
- Deploy a VPN or other secure access mechanism for remote viewing requirements
- Consider disabling the RTSP service if live streaming is not required for your deployment
# Example firewall rule to restrict RTSP access (iptables)
# Allow RTSP only from trusted management subnet
iptables -A INPUT -p tcp --dport 554 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
