Description
In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
Published: 2026-05-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Meari’s image handling component, libmrplayer.so, applies a reversible XOR cipher to the first 1024 bytes of baby‑monitor JPEG files using a predictable key derivation model. The weakness lies in the limited scope of encryption and the deterministic key, allowing an attacker to recover the original image content. This flaw is classified as CWE‑326, representing insecure encryption practices. The CVSS score of 7.5 indicates a medium‑high severity, reflecting significant potential for privacy violations.

Affected Systems

The vulnerability is present in the Meari SDK (com.meari.sdk) used in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white‑label baby‑monitor applications up to version 1.8.x.

Risk and Exploitability

Because the XOR obfuscation applies only to the first 1024 bytes and the key is easily derivable, an attacker who can obtain or intercept the obfuscated image files can reconstruct the original image. The CVSS score of 7.5 highlights the risk, but the EPSS score is unavailable, making current exploitation likelihood uncertain. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the most likely attack vector is interception or direct access to the device’s stored or transmitted image data, from which the weak encryption can be reversed.

Generated by OpenCVE AI on May 11, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Meari SDK to the latest release that removes the weak XOR obfuscation or implements a strong encryption algorithm.
  • If upgrading is not immediately possible, avoid transmitting or storing .jpgx3 files; instead re‑encrypt them with a proven, secure cipher before use.
  • Restrict network access to the devices and monitor for anomalous activity that could indicate unauthorized extraction of image files.

Generated by OpenCVE AI on May 11, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Meari
Meari com.meari.sdk
Vendors & Products Meari
Meari com.meari.sdk

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
Title Meari weak XOR obfuscation
Weaknesses CWE-326
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Meari Com.meari.sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-05-11T18:17:43.933Z

Reserved: 2026-03-19T00:27:05.987Z

Link: CVE-2026-33361

cve-icon Vulnrichment

Updated: 2026-05-11T18:17:40.833Z

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:30.970

Modified: 2026-05-11T17:16:30.970

Link: CVE-2026-33361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:57Z

Weaknesses