CVE-2026-36602 Overview
CVE-2026-36602 affects the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device leaks kernel memory layout information through the Universal Plug and Play (UPnP) GetStatusInfo action. An unauthenticated attacker on the adjacent network can retrieve a raw MIPS KSEG0 kernel pointer from the response. This disclosure undermines Kernel Address Space Layout Randomization (KASLR) protections and provides a foundation for chaining additional exploits against the router's kernel.
Critical Impact
Adjacent unauthenticated attackers can obtain raw MIPS KSEG0 kernel pointers, exposing kernel memory layout and enabling reliable follow-on kernel exploitation.
Affected Products
- Mercusys AC12G (EU) V1 router
- Firmware version AC12G(EU)_V1_200909
- UPnP service handling the GetStatusInfo action
Discovery Timeline
- 2026-06-03 - CVE-2026-36602 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36602
Vulnerability Analysis
The vulnerability resides in the UPnP service exposed by the Mercusys AC12G (EU) V1 router. When the device processes a GetStatusInfo SOAP action, the response body includes a raw kernel-space pointer originating from the MIPS KSEG0 segment. KSEG0 is the unmapped, cached kernel segment on MIPS architectures and its addresses directly reveal kernel memory placement. The leaked pointer allows an attacker to compute base offsets for kernel symbols and structures. This class of issue is categorized as Information Exposure and Memory Information Disclosure.
Root Cause
The UPnP handler embeds an internal kernel pointer in user-facing output without sanitization or redaction. The firmware does not filter pointer-shaped values before serializing the SOAP response. As a result, internal kernel state crosses the trust boundary into an unauthenticated network response.
Attack Vector
An attacker on the adjacent network sends a crafted UPnP GetStatusInfo SOAP request to the router's UPnP endpoint. No authentication, credentials, or user interaction are required. The response contains a MIPS KSEG0 pointer that the attacker parses to derive kernel base addresses. The disclosed pointer is typically combined with a separate memory corruption primitive to defeat KASLR and achieve reliable code execution against the router's kernel. Refer to the GitHub Security Advisory for the proof-of-concept request format.
Detection Methods for CVE-2026-36602
Indicators of Compromise
- Inbound SOAP requests to the router's UPnP control URL invoking the GetStatusInfo action from adjacent-network hosts.
- UPnP response payloads containing hexadecimal values in the MIPS KSEG0 range (addresses beginning with 0x80 on 32-bit MIPS).
- Repeated UPnP enumeration traffic from a single LAN client followed by anomalous traffic to the router management plane.
Detection Strategies
- Inspect LAN traffic for unsolicited UPnP GetStatusInfo SOAP requests directed at the router's control endpoint.
- Parse UPnP response bodies for pointer-shaped tokens matching MIPS kernel address patterns.
- Correlate UPnP probing with subsequent exploitation attempts such as command injection or buffer overflow payloads targeting the same device.
Monitoring Recommendations
- Enable verbose logging on network monitoring appliances for SSDP and UPnP SOAP traffic on TCP ports used by the router's UPnP daemon.
- Alert on any UPnP traffic originating from untrusted or guest network segments.
- Track baseline UPnP request volumes per client and flag deviations indicative of reconnaissance.
How to Mitigate CVE-2026-36602
Immediate Actions Required
- Disable UPnP on the Mercusys AC12G (EU) V1 router until a vendor patch is available.
- Restrict access to the router's LAN-side management and UPnP services using network segmentation and isolated guest VLANs.
- Block UPnP traffic between untrusted client segments and the router's control interface at upstream firewalls or switches.
Patch Information
No vendor patch is referenced in the available CVE data. Monitor the GitHub Security Advisory and Mercusys support channels for firmware updates superseding AC12G(EU)_V1_200909.
Workarounds
- Turn off the UPnP service in the router's administration interface to remove the vulnerable GetStatusInfo endpoint.
- Place the router behind a hardened gateway that filters or rewrites UPnP SOAP responses on the local network.
- Limit Wi-Fi access to trusted devices and disable guest networks that could provide adjacent-network attack positions.
# Configuration example: block UPnP control traffic on a Linux gateway
iptables -A FORWARD -p tcp --dport 1900 -j DROP
iptables -A FORWARD -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 49152:65535 -m string --algo bm --string "GetStatusInfo" -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
