Cyber Resilience

CVE-2026-31256

HighPublic PoC

Published: 27 April 2026

Published
27 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 10.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31256 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Mercurycom Mipc252W Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-31256 is a null pointer dereference vulnerability (CWE-476) in the RTSP service of the MERCURY MIPC252W IP camera running firmware version 1.0.5 Build 230306 Rel.79931n. The flaw occurs during processing of a SETUP request to the path rtsp://<IP>:554/stream1/track2 when the Transport header field is improperly constructed and not adequately validated, causing the service to dereference a NULL pointer during request parsing. Published on 2026-04-27, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited remotely by unauthenticated attackers with network access to the device, requiring low complexity and no user interaction. By sending a specially crafted RTSP SETUP request with a malformed Transport header, an attacker triggers the NULL pointer dereference, crashing the RTSP service and causing the device to automatically reboot, resulting in a temporary denial of service.

Advisories and additional details are available in the referenced GitHub repositories at https://github.com/izxnfh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_1th/README.md.

EU & UK References

Vulnerability details

A null pointer dereference vulnerability exists in the RTSP service of the MERCURY MIPC252W 1.0.5 Build 230306 Rel.79931n. During the processing of a SETUP request for the path rtsp://<IP>:554/stream1/track2, the device fails to properly validate the Transport header field. When…

more

this header is improperly constructed, the RTSP service can dereference a NULL pointer during request parsing. Successful exploitation causes the device to crash and automatically reboot.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference in public RTSP service allows remote unauthenticated attacker to crash the service and trigger device reboot via single crafted SETUP request, directly matching Application or System Exploitation for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35903Same product: Mercurycom Mipc252W
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2025-63648Shared CWE-476

Affected Assets

mercurycom
mipc252w firmware
1.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of RTSP Transport header inputs to prevent null pointer dereference from malformed SETUP requests.

prevent

Mandates robust error handling during RTSP request parsing to avoid crashes from null pointer dereferences.

prevent

Directly addresses remediation of the specific null pointer dereference flaw in the RTSP service firmware.

References