Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries.
AnalysisAI
Stack-based buffer overflow in VIVOTEK FD8136 firmware FD8136-VVTK-0300a grants authenticated remote attackers root-level code execution by supplying an oversized POST parameter to any of three symlinked CGI admin endpoints. The vulnerable motion_privacy.cgi binary copies the n1 parameter into a fixed 164-byte (0xa4) stack buffer with no bounds check and no stack canary protection, overwriting the saved link register and diverting execution to attacker-controlled code. A public proof-of-concept is available on GitHub; no active exploitation has been confirmed in CISA KEV at time of analysis.
Technical ContextAI
The root cause is CWE-121 (Stack-based Buffer Overflow) in the motion_privacy.cgi CGI binary embedded in VIVOTEK FD8136 firmware. Three admin endpoints - /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi - are filesystem symlinks to this single binary, meaning all three paths are equally exploitable. The n1 POST parameter is copied into a stack-allocated buffer of exactly 0xa4 (164) bytes using an unsafe operation with no length validation. Overwriting the saved link register (rather than a return address on x86) indicates the device likely runs an ARM-based SoC, which is standard for embedded IP cameras. The absence of stack canaries removes the primary compile-time detection mechanism for this class of overflow. The NVD CPE entry (cpe:2.3:a:n/a:n/a) is uninformative and does not provide version-range precision beyond what the CVE description states.
RemediationAI
No vendor-released patch or updated firmware version has been identified from the available data - the references include only the vendor's homepage and the researcher's GitHub PoC, with no VIVOTEK security advisory or patched firmware release number. Monitor http://vivotek.com for firmware updates targeting FD8136-VVTK-0300a. Until a patch is available, restrict network access to the three vulnerable endpoints (/cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, /cgi-bin/admin/setmd_profile.cgi) via perimeter firewall or VLAN segmentation, ensuring these cameras are not reachable from untrusted networks; this is the highest-impact compensating control and eliminates the AV:N attack vector entirely at the cost of remote admin access. Additionally, enforce strong, unique administrative credentials across all FD8136 units to raise the bar for the PR:L authentication prerequisite - default or weak credentials would allow any network-reachable attacker to exploit this. The PoC at https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-35716 can be used in a lab environment to validate whether a future firmware update actually resolves the overflow.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33969
GHSA-pj36-9w4r-h2r4