CVE-2026-42800
Published: 30 April 2026
Summary
CVE-2026-42800 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Asrmicro Asr1901 Firmware. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-42800 is a NULL pointer dereference vulnerability (CWE-476) in the ASR1903 component of ASR Lapwing_Linux on Linux, specifically affecting the ims_client modules and associated with the program file sip/utils/src/sipuri.c. This flaw allows pointer manipulation and has a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L). It was published on 2026-04-30.
An attacker with low privileges required (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation changes scope (S:C), potentially resulting in low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), enabling pointer manipulation as described.
For mitigation details, refer to the vendor advisory at https://www.asrmicro.com/en/goods/psirt?cid=44.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26360
Vulnerability details
NULL pointer dereference vulnerability in ASR1903 in ASR Lapwing_Linux on Linux (ims_client modules) allows Pointer Manipulation. This vulnerability is associated with program files sip/utils/src/sipuri.c.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote network-accessible NULL pointer dereference in the ims_client SIP module directly enables exploitation of remote services to trigger pointer manipulation and achieve limited impacts on the target Linux system.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the NULL pointer dereference flaw in sip/utils/src/sipuri.c via patching as per vendor advisory.
Enforces validation of SIP URI inputs to ims_client modules, preventing malformed inputs that trigger the NULL pointer dereference and pointer manipulation.
Mandates secure error handling to eliminate unhandled exceptions from NULL pointer dereferences, avoiding crashes or disclosures in ASR1903.