🚀 runZero 4.9 is here: Map the unmappable. Secure every path. More
runZero CAASM

On This Page:

  1. Executive summary
  2. Technical details
  3. Attacker value
  4. Credit
  5. Timeline

Meari weak XOR obfuscation

todb
|
Updated
Vendors Meari
Products
Meari IoT SDK (com.meari.sdk) (firmID=8)
  • Meari IoT SDK (com.meari.sdk) (firmID=8)
Related

Executive summary #

In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.

This is obfuscation rather than robust encryption, so exposed or collected .jpgx3 artifacts can be converted back to viewable JPEG images with minimal effort.

This is an instance of CWE-326: Inadequate Encryption Strength, and has an estimated CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5, High).

Technical details #

Further technical details can be found at the original disclosure, Nobody Puts Baby In A Corner.

Attacker value #

Weak image protection reduces attacker workload from “break crypto” to straightforward decoding, enabling rapid conversion of protected baby-monitor artifacts into viewable photos of intimite moments. In practical chains, attackers can source .jpgx3 objects from unauthenticated storage exposure in CVE-2026-33359 and decode them offline, turning cloud data leakage into immediately exploitable child-monitoring privacy compromise.

Credit #

These issues were discovered, documented, and disclosed by Sammy Azdoufal. CVE coordination was performed by Tod Beardsley of runZero, Inc.

Timeline #

2026-03-11: Issues identified by the researcher, reviewed by runZero, and disclosed to vendor

2026-04-03: Opened VINCE Case VU#579666 with CISA for tracking

2026-April/May: Email comms between the vendor and the researcher, throughout April and May

2026-04-28: Researcher and runZero refined findings

2026-05-06: Confirmed findings and disclosure process with The Verge

2026-05-11: Public disclosure of CVE-2026-33356

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved