Skip to main content

GV-I/O Box 4E CVE-2026-12846

| EUVDEUVD-2026-38647 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-06-24 GV GHSA-4774-xxfv-2x4f
10.0
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Single unauthenticated UDP packet to default-listening service yields code execution; scope kept Unchanged as compromise stays within the device's security authority.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:31 vuln.today

DescriptionCVE.org

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.

Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:

Net Mask field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:

v6 = strlen(g_network_config->net_mask);

memcpy(&reply_buf[184], g_network_config->net_mask, v6);

AnalysisAI

Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify GV-I/O Box on UDP/10001
Delivery
Craft DVRSearch packet with oversized net_mask
Exploit
Send single UDP datagram to device
Install
Overflow stack via unchecked memcpy
C2
Overwrite saved return address
Execute
Execute shellcode as DVRSearch service
Impact
Pivot to relay/OT control

Vulnerability AssessmentAI

Exploitation The DVRSearch service must be running and reachable on UDP/10001, which is the default configuration on GV-I/O Box 4E - no authentication, user interaction, or non-default settings are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals converge on high real-world risk: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H means a single unauthenticated UDP packet from anywhere with network reach to the device yields full compromise with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same Layer 2 segment, VPN, or any routed network with reach to UDP/10001 sends a single crafted DVRSearch packet whose embedded net_mask field is a long attacker-controlled string. The memcpy at reply_buf[184] overflows the stack, overwriting the saved return address to redirect execution into shellcode placed elsewhere in the 1460-byte payload, granting code execution on the device with the privileges of the DVRSearch daemon; no public exploit was identified at time of analysis but the primitive is straightforward.
Remediation No vendor-released patch identified at time of analysis; monitor the GeoVision security page at https://www.geovision.com.tw/cyber_security.php and the Talos advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377 for fixed firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all GeoVision GV-I/O Box 4E devices; implement firewall rules blocking UDP port 10001 from untrusted networks; isolate affected devices to segmented network if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy