Weak XOR Obfuscation in Meari IoT SDK Affects Baby Monitors
CVE-2026-33361

7.5HIGH

Key Information:

Vendor: Meari
Status: Com.meari.sdk
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-33361?

The Meari IoT SDK contains a vulnerability in its image handling capabilities, specifically within the library libmrplayer.so. This flaw affects certain versions of the SDK, notably the CloudEdge 5.5.0 (build 220) and Arenti 1.8.1 (build 220), along with related white-label applications. The vulnerability arises from the use of a reversible XOR operation that affects only the first 1024 bytes of certain .jpgx3 files, utilizing a predictable key derivation model. This weakness can potentially allow unauthorized access to sensitive image data, exposing users to privacy risks.

Affected Version(s)

com.meari.sdk firmID=8

References

https://github.com/xn0tsa/nobody-puts-baby-in-a-corner

technical-description

https://www.runzero.com/advisories/meari-weak-xor-obfusca...

third-party-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Mar 19, 2026

Credit

Sammy Azdoufal

Tod Beardsley of runZero, Inc.

CVE-2026-33361 Data

JSON