CVE-2026-42369
Received Received - Intake
Stack Overflow in GV-VMS V20 Video Monitoring Software

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description
GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication.Β Β  #### Stack-overflow via unbound copy of base64 decoded string The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-05-07
AI Q&A
2026-05-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-42369
EUVD
EUVD-2026-26860
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gv-vms v20 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in GV-VMS V20, a Video Monitoring Software that manages surveillance camera feeds and other security devices. The software includes a web server feature called "WebCam Server" which allows remote access via a web interface.

The vulnerability is a stack overflow caused by an unbounded copy operation in the `gvapi` endpoint's authentication mechanism. Specifically, a base64 decoded string is copied character-by-character into a fixed-size buffer of 256 characters without checking if the decoded string exceeds this size.

If an attacker sends a base64 encoded string longer than 256 characters, it causes a stack overflow. Because the web server is compiled without ASLR (Address Space Layout Randomization), this overflow can be exploited to execute arbitrary code with SYSTEM privileges on the affected machine.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows an attacker to gain full code execution on the system running the GV-VMS service.

  • An attacker can remotely exploit the stack overflow to execute arbitrary code with SYSTEM-level privileges.
  • This could lead to complete compromise of the affected system, including unauthorized access to surveillance feeds and control over security devices.
  • The attacker does not require any user interaction or prior privileges to exploit this vulnerability.
  • Given the critical CVSS score of 10.0, the vulnerability poses a high risk to confidentiality, integrity, and availability of the system.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in GV-VMS V20 allows an attacker to gain full code execution as SYSTEM on the machine running the service due to a stack overflow in the webserver component. This can lead to unauthorized access and control over surveillance video feeds and management features.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, secure access controls, and prevention of unauthorized data disclosure.

However, the provided context does not explicitly mention the impact on compliance with these standards.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the GV-VMS V20 software, specifically when the "WebCam Server" feature is enabled, exposing a web interface with a vulnerable gvapi endpoint that uses HTTP Authorization headers.

To detect this vulnerability on your network or system, you can check if the GV-VMS V20 software is running and if the WebCam Server feature is enabled, exposing the web interface.

You can attempt to identify the vulnerable service by scanning for open HTTP ports on the target machine and then sending requests to the /gvapi endpoint to observe the authentication mechanism.

  • Use nmap to scan for open HTTP ports: nmap -p 80,8080,8000 <target-ip>
  • Use curl or similar tools to send a request to the gvapi endpoint and check the response headers and authentication method: curl -I http://<target-ip>/gvapi
  • Check for Basic or Digest HTTP Authorization headers in requests to the gvapi endpoint.

Because the vulnerability involves a stack overflow triggered by a base64 decoded string larger than 256 characters, detection might also involve monitoring for unusual or malformed Authorization headers or abnormal application behavior.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling the WebCam Server feature if remote access is not required, thereby preventing exposure of the vulnerable web interface.

Ensure that the GV-VMS V20 software is updated to the latest version provided by GeoVision, as they maintain a structured vulnerability management process and release patches for critical vulnerabilities.

Restrict network access to the GV-VMS server, especially blocking external access to the HTTP ports used by the WebCam Server.

  • Disable the WebCam Server feature in GV-VMS V20 if not needed.
  • Apply any available security updates or patches from GeoVision promptly.
  • Use firewall rules to limit access to the GV-VMS server to trusted hosts only.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart