{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12846", "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9", "state": "PUBLISHED", "assignerShortName": "GV", "dateReserved": "2026-06-22T00:26:45.854Z", "datePublished": "2026-06-24T03:34:25.543Z", "dateUpdated": "2026-06-24T12:55:36.396Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9", "shortName": "GV", "dateUpdated": "2026-06-24T03:34:25.543Z"}, "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command", "datePublic": "2026-06-17T03:10:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "CWE-121 Stack-based buffer overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "GeoVision Inc.", "product": "GV-I/O Box 4E", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "V2.09"}, {"status": "unaffected", "version": "v2.12"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*"}, {"vulnerable": false, "criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Net Mask field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n v6 = strlen(g_network_config->net_mask);\n\n memcpy(&reply_buf[184], g_network_config->net_mask, v6);", "supportingMedia": [{"type": "text/html", "base64": false, "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.<br><br><div>DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n<br>\n<br>Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n<br><br>#### Net Mask field stack overflow<br><br>The following code is vulnerable to a stack overflow that is attacker-controlled:\n<br>\n<br> v6 = strlen(g_network_config-&gt;net_mask);\n<br> memcpy(&amp;reply_buf[184], g_network_config-&gt;net_mask, v6);<br><br><br></div>"}]}], "references": [{"url": "https://www.geovision.com.tw/cyber_security.php", "tags": ["vendor-advisory"]}, {"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "timeline": [{"time": "2026-04-21T07:34:00.000Z", "lang": "en", "value": "Finder Reports Vulnerabilties to Vendor"}], "credits": [{"lang": "en", "value": "Philippe Laulheret of Cisco Talos", "type": "finder"}, {"lang": "en", "value": "Kelly Patterson of Cisco Talos", "type": "remediation reviewer"}, {"lang": "en", "value": "Robert Sherwin of Cisco Talos", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T12:55:27.854943Z", "id": "CVE-2026-12846", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:55:36.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-24T12:55:27.854943Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T12:55:32.702Z"}}], "cna": {"title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Philippe Laulheret of Cisco Talos"}, {"lang": "en", "type": "remediation reviewer", "value": "Kelly Patterson of Cisco Talos"}, {"lang": "en", "type": "coordinator", "value": "Robert Sherwin of Cisco Talos"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GeoVision Inc.", "product": "GV-I/O Box 4E", "versions": [{"status": "affected", "version": "V2.09"}, {"status": "unaffected", "version": "v2.12"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T07:34:00.000Z", "value": "Finder Reports Vulnerabilties to Vendor"}], "datePublic": "2026-06-17T03:10:00.000Z", "references": [{"url": "https://www.geovision.com.tw/cyber_security.php", "tags": ["vendor-advisory"]}, {"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Net Mask field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n v6 = strlen(g_network_config->net_mask);\n\n memcpy(&reply_buf[184], g_network_config->net_mask, v6);", "supportingMedia": [{"type": "text/html", "value": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.<br><br><div>DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n<br>\n<br>Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n<br><br>#### Net Mask field stack overflow<br><br>The following code is vulnerable to a stack overflow that is attacker-controlled:\n<br>\n<br> v6 = strlen(g_network_config-&gt;net_mask);\n<br> memcpy(&amp;reply_buf[184], g_network_config-&gt;net_mask, v6);<br><br><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based buffer overflow"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.09:*:linux:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:geovision_inc.:gv-i_o_box_4e:v2.12:*:linux:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0df08a0e-a200-4957-9bb0-084f562506f9", "shortName": "GV", "dateUpdated": "2026-06-24T03:34:25.543Z"}}}, "cveMetadata": {"cveId": "CVE-2026-12846", "state": "PUBLISHED", "dateUpdated": "2026-06-24T12:55:36.396Z", "dateReserved": "2026-06-22T00:26:45.854Z", "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9", "datePublished": "2026-06-24T03:34:25.543Z", "assignerShortName": "GV"}, "dataVersion": "5.2"}

{}

{}

{"created": "2026-06-24T09:15:06.386267+00:00", "updated": "2026-06-24T09:15:06.386273+00:00", "vendors": []}