CVE-2026-31256

HighPublic PoC

Published: 27 April 2026

Published

27 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31256 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Mercurycom Mipc252W Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of RTSP Transport header inputs to prevent null pointer dereference from malformed SETUP requests.

SI-11 Error Handling good match

prevent

Mandates robust error handling during RTSP request parsing to avoid crashes from null pointer dereferences.

SI-2 Flaw Remediation good match

prevent

Directly addresses remediation of the specific null pointer dereference flaw in the RTSP service firmware.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Null pointer dereference in public RTSP service allows remote unauthenticated attacker to crash the service and trigger device reboot via single crafted SETUP request, directly matching Application or System Exploitation for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A null pointer dereference vulnerability exists in the RTSP service of the MERCURY MIPC252W 1.0.5 Build 230306 Rel.79931n. During the processing of a SETUP request for the path rtsp://<IP>:554/stream1/track2, the device fails to properly validate the Transport header field. When…

this header is improperly constructed, the RTSP service can dereference a NULL pointer during request parsing. Successful exploitation causes the device to crash and automatically reboot.

Deeper analysisAI

CVE-2026-31256 is a null pointer dereference vulnerability (CWE-476) in the RTSP service of the MERCURY MIPC252W IP camera running firmware version 1.0.5 Build 230306 Rel.79931n. The flaw occurs during processing of a SETUP request to the path rtsp://<IP>:554/stream1/track2 when the Transport header field is improperly constructed and not adequately validated, causing the service to dereference a NULL pointer during request parsing. Published on 2026-04-27, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability can be exploited remotely by unauthenticated attackers with network access to the device, requiring low complexity and no user interaction. By sending a specially crafted RTSP SETUP request with a malformed Transport header, an attacker triggers the NULL pointer dereference, crashing the RTSP service and causing the device to automatically reboot, resulting in a temporary denial of service.

Advisories and additional details are available in the referenced GitHub repositories at https://github.com/izxnfh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_1th/README.md.