CVE-2026-36611 Overview
CVE-2026-36611 is an information disclosure vulnerability in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device returns 128 bytes of uninitialized buffer memory when it receives POST requests without a SOAPAction header on UPnP port 1900. An unauthenticated attacker on an adjacent network can query the device and harvest fragments of internal memory. The flaw is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Unauthenticated attackers on the local network can repeatedly leak 128-byte chunks of router memory, potentially exposing credentials, session data, or configuration values processed in adjacent buffers.
Affected Products
- Mercusys AC12G (EU) V1 router hardware
- Firmware version AC12G(EU)_V1_200909
- UPnP service listening on TCP port 1900
Discovery Timeline
- 2026-06-03 - CVE-2026-36611 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36611
Vulnerability Analysis
The Mercusys AC12G UPnP service handles SOAP requests on port 1900. When the service receives a POST request that omits the expected SOAPAction header, it constructs a response using a stack or heap buffer that is never initialized with controlled data. The service then returns 128 bytes of that buffer to the requester. Because the buffer reuses memory previously allocated for other operations, its contents reflect residual data from prior processing on the device.
The vulnerability falls into the Uninitialized Memory Use and Information Disclosure categories. Repeated requests allow an attacker to sample memory contents over time and reconstruct sensitive material. No authentication is required, and the request fits within a single TCP session.
Root Cause
The root cause is missing input validation combined with improper memory initialization. The UPnP handler does not reject requests lacking the SOAPAction header. Instead, it proceeds along an error path that returns a fixed-size response buffer without zeroing it first. This pattern matches the classic [CWE-200] information exposure weakness.
Attack Vector
An attacker on the same network segment as the router sends a crafted HTTP POST request to port 1900 without including the SOAPAction header. The router responds with a 128-byte payload containing uninitialized memory. The attacker scripts repeated requests to collect samples and correlate leaked bytes. Exploitation requires only network access to the device's LAN-facing UPnP interface. Full technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-36611
Indicators of Compromise
- Repeated HTTP POST requests to TCP port 1900 originating from the same LAN host within short time windows
- POST requests to the UPnP endpoint that lack a SOAPAction header
- Outbound responses from the router containing fixed 128-byte payloads with non-printable or seemingly random bytes
Detection Strategies
- Inspect router-facing traffic for malformed SOAP requests on port 1900, specifically POST requests missing SOAPAction
- Deploy network IDS signatures that flag UPnP requests with missing or malformed SOAP headers
- Correlate high-volume small-response patterns from the router to a single internal host as a sign of memory sampling
Monitoring Recommendations
- Log all UPnP traffic on the LAN segment and alert on requests from non-trusted endpoints
- Capture full packet data on port 1900 to allow forensic review of request headers and response bodies
- Track the firmware version of Mercusys devices in asset inventory and flag AC12G(EU)_V1_200909 for remediation
How to Mitigate CVE-2026-36611
Immediate Actions Required
- Disable UPnP on the Mercusys AC12G router if the feature is not required by client devices
- Restrict LAN access to the router's management and UPnP services using network segmentation or VLANs
- Block external access to port 1900 at any upstream firewall to prevent pivoted exploitation
Patch Information
No vendor patch is referenced in the published advisory at the time of writing. Monitor Mercusys support channels for firmware updates that supersede AC12G(EU)_V1_200909. Review the GitHub Security Advisory for ongoing remediation status.
Workarounds
- Turn off the UPnP service on the router through the administrative interface
- Isolate the affected router on a segmented network with no untrusted clients
- Replace the device with hardware that receives active firmware support if a fix is not released
# Example: block UPnP port 1900 on an upstream Linux firewall
iptables -A FORWARD -p tcp --dport 1900 -j DROP
iptables -A FORWARD -p udp --dport 1900 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
