CVE-2026-36613 Overview
CVE-2026-36613 is an information disclosure vulnerability in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909. The device returns 128 bytes of uninitialized internal buffer contents when its HTTP server receives POST requests to undefined paths. An unauthenticated attacker on an adjacent network can repeatedly query the device to harvest residual memory contents, exposing server state. The flaw is classified under [CWE-125] Out-of-Bounds Read and is exploitable without user interaction or credentials.
Critical Impact
Unauthenticated adjacent-network attackers can leak 128 bytes of uninitialized memory per request, potentially exposing sensitive runtime state from the embedded HTTP server.
Affected Products
- Mercusys AC12G (EU) V1 router
- Firmware version AC12G(EU)_V1_200909
- Embedded HTTP management server on the device
Discovery Timeline
- 2026-06-03 - CVE-2026-36613 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-36613
Vulnerability Analysis
The Mercusys AC12G HTTP server allocates a response buffer when processing incoming POST requests. When the request targets a path the server does not recognize, the handler returns a fixed-size 128-byte response without first zeroing or fully populating the buffer. The remaining bytes contain leftover data from prior memory use. The vulnerability falls into the Out-of-Bounds Read and Uninitialized Memory Use categories. While each individual leak is limited, repeated requests allow attackers to accumulate residual data over time. The leaked content may include heap fragments, prior request data, session tokens, or other runtime state held by the embedded web server.
Root Cause
The root cause is missing buffer initialization in the HTTP server's default-path handler. The handler reserves a 128-byte response region but does not call a zero-fill routine such as memset before writing partial content or returning the buffer to the requesting client. The unwritten bytes retain whatever data previously occupied that memory location.
Attack Vector
The attack requires adjacent network access, typically a position on the same Wi-Fi network or LAN segment as the router. The attacker sends crafted HTTP POST requests to non-existent URLs on the device's management interface. The server responds with the 128-byte buffer containing uninitialized memory. No authentication, user interaction, or elevated privileges are required. For exploitation specifics, see the GitHub Security Advisory.
Detection Methods for CVE-2026-36613
Indicators of Compromise
- Repeated HTTP POST requests from a single LAN client to undefined or random paths on the router management interface.
- Anomalous outbound traffic from a wireless or wired client targeting the router's HTTP port with malformed URIs.
- HTTP responses from the router consistently returning 128-byte payloads to non-existent endpoints.
Detection Strategies
- Inspect router access logs, where available, for POST requests to paths not part of the documented management interface.
- Deploy network monitoring on management VLANs to flag clients issuing high-volume requests to embedded device IPs.
- Correlate adjacent-network HTTP traffic patterns against baseline administrative usage to identify scanning behavior.
Monitoring Recommendations
- Capture and review traffic between client devices and router management interfaces using a passive tap or span port.
- Alert on bursts of HTTP POST requests targeting consumer router IP addresses from non-administrative endpoints.
- Monitor for clients enumerating URI paths against the router, which often precedes targeted exploitation.
How to Mitigate CVE-2026-36613
Immediate Actions Required
- Restrict access to the router management interface to trusted administrative hosts only, using LAN access control lists where supported.
- Disable remote management features and ensure the HTTP server is not exposed to untrusted Wi-Fi clients or guest networks.
- Segment guest and IoT devices onto isolated SSIDs to limit adjacent-network exposure to the management interface.
Patch Information
No vendor patch is referenced in the available advisory data. Consult the GitHub Security Advisory and the Mercusys support site for firmware updates beyond AC12G(EU)_V1_200909. Apply any newer firmware release that addresses uninitialized memory handling in the HTTP server.
Workarounds
- Place the affected router behind a network boundary that blocks untrusted devices from reaching its HTTP management port.
- Use a strong, unique Wi-Fi passphrase and WPA2/WPA3 encryption to reduce the pool of adjacent-network attackers.
- Where feasible, replace the affected device with a supported router that receives current security updates.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
