Skip to main content

GeoVision GV-LPC2011 CVE-2026-57875

| EUVDEUVD-2026-39631 HIGH
NULL Pointer Dereference (CWE-476)
2026-06-26 GV GHSA-9hv4-r5p9-3gf6
7.5
CVSS 3.1 · Vendor: GV
Share

Severity by source

Vendor (GV) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, no-auth, low-complexity HTTP request triggers a crash (AV:N/AC:L/PR:N/UI:N); impact is availability-only DoS, so C:N/I:N/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GV).

CVSS VectorVendor: GV

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 08:16 vuln.today

DescriptionCVE.org

An unauthenticated NULL pointer dereference vulnerability exists in the HTTP request parsing logic of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of required HTTP request metadata before it is used by the affected components. A remote attacker may exploit this vulnerability by sending a specially crafted HTTP request, causing the affected process to crash and resulting in a denial of service.

AnalysisAI

Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate capture devices (firmware V1.12 and earlier) lets a remote, unauthenticated attacker crash the device by sending a single malformed HTTP request to its CGI interface. The flaw is a NULL pointer dereference in HTTP request-parsing logic shared across multiple CGI components, triggered when required request metadata is missing or malformed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach device HTTP/CGI interface
Delivery
Craft request omitting required metadata
Exploit
Send to vulnerable CGI endpoint
Execution
NULL pointer dereference in parser
Impact
Process crashes, device offline (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the HTTP/CGI management interface of a GeoVision GV-LPC2011 or GV-LPC2211 running firmware V1.12 or earlier - per AV:N/AC:L/PR:N/UI:N there is no authentication, user interaction, or special configuration prerequisite beyond the attacker being able to send an HTTP request to the device's web service. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, and an availability-only impact - a clean DoS profile, not code execution despite the HIGH score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the device's HTTP management interface sends a single specially crafted request to one of the vulnerable CGI endpoints with required metadata omitted or malformed, causing the parser to dereference a NULL pointer and crash the process. The targeted GV-LPC unit drops offline (denial of service), interrupting license-plate capture; the attack needs no authentication and no user interaction, and can be repeated to keep the device down. …
Remediation No vendor-released patch version is identified in the available data; the only reference is GeoVision's general security advisory page (https://www.geovision.com.tw/cyber_security.php), which should be checked for a firmware build newer than V1.12 and applied once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all GV-LPC2011 and GV-LPC2211 devices and document their current firmware version and network location. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy