CVE-2026-12846
Received Received - Intake
Stack Overflow in GV-I/O Box 4E DVRSearch Service

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: 0df08a0e-a200-4957-9bb0-084f562506f9

Description
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12846
EUVD
EUVD-2026-38647
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
geovision gv-i/o_box_4e 2.09
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12846 is a stack-based buffer overflow vulnerability in the GeoVision GV-I/O Box 4E device, specifically in the DVRSearch service that listens for UDP messages on port 10001. The vulnerability occurs when the device improperly handles the Net Mask field in incoming messages, allowing an attacker to overflow a stack buffer by sending a specially crafted network request. This overflow can lead to arbitrary code execution on the device.

Compliance Impact

The vulnerability CVE-2026-12846 is a critical stack-based buffer overflow in the GeoVision GV-I/O Box 4E device that allows arbitrary code execution, impacting confidentiality, integrity, and availability of the system.

Such a critical vulnerability can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity. Exploitation could lead to unauthorized access or data breaches, violating these regulations.

GeoVision maintains a structured vulnerability management process and promptly addresses critical vulnerabilities with unscheduled updates and detailed documentation, supporting compliance efforts by reducing exposure time and helping users apply fixes.

Impact Analysis

This vulnerability has a critical impact with a CVSS score of 10.0, meaning it can fully compromise the affected device. Exploiting this flaw can lead to arbitrary code execution, allowing an attacker to take control of the device remotely without any privileges or user interaction. This can result in complete loss of confidentiality, integrity, and availability of the device and potentially the network it is connected to.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for UDP messages sent to port 10001 on the GeoVision GV-I/O Box 4E device. Specifically, detection involves identifying specially crafted network requests targeting the DVRSearch service's CMD_IP_SET functionality that manipulate the Net Mask field.

A practical approach is to capture and analyze UDP packets on port 10001 using network tools such as tcpdump or Wireshark.

  • Use tcpdump to capture UDP traffic on port 10001: tcpdump -i <interface> udp port 10001
  • Analyze captured packets for unusually large or malformed Net Mask fields that could indicate an attempt to exploit the stack overflow.
  • Check device logs or monitoring systems for unexpected crashes or reboots, which may indicate exploitation attempts.
Mitigation Strategies

The immediate mitigation step is to apply the vendor-released patch for the GeoVision GV-I/O Box 4E device, which addresses the stack-based buffer overflow vulnerability in the DVRSearch service.

Until the patch is applied, it is recommended to restrict network access to UDP port 10001 on the device to trusted sources only, effectively limiting exposure to potential attackers.

Additionally, monitor the device for any signs of compromise or unusual behavior and consider isolating the device from untrusted networks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart