CVE 10 CRITICAL

GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command_CVE-2026-12846

June 24, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.

Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:

#### Net Mask field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:

v6 = strlen(g_network_config->net_mask);

memcpy(&reply_buf[184], g_network_config->net_mask, v6);

AI Analysis

Buffer overflow vulnerability in DVRSearch service via CMD_IP_SET command

Basic Information

ID CVE-2026-12846

Source GV

Published Jun 24, 2026 at 03:34

Affected Product

Vendor GeoVision Inc.

Product GV-I/O Box 4E

Version V2.09

Affected Versions GeoVision Inc. GV-I/O Box 4E V2.09

CWE Classification

CWE-121

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor GeoVision Inc.

Product GV-I/O Box 4E

Version V2.09

References

{
    "lastseen": "",
    "description": "GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Net Mask field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v6 = strlen(g_network_config->net_mask);\n\n      memcpy(&reply_buf[184], g_network_config->net_mask, v6);",
    "published": "2026-06-24T03:34:25.543Z",
    "modified": "2026-06-24T03:34:25.543Z",
    "type": "cve",
    "title": "GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command",
    "source": "GV",
    "references": "https://www.geovision.com.tw/cyber_security.php\nhttps://talosintelligence.com/vulnerability_reports/TALOS-2026-2377",
    "id": "CVE-2026-12846",
    "bulletinFamily": "",
    "cwe": [
        "CWE-121"
    ],
    "cvelist": null,
    "sourceData": "GeoVision Inc. GV-I/O Box 4E V2.09",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GV-I/O Box 4E",
    "version": "V2.09",
    "vendor": "GeoVision Inc.",
    "ai_description": "Buffer overflow vulnerability in DVRSearch service via CMD_IP_SET command",
    "ai_severity": "Critical",
    "ai_vendor": "GeoVision Inc.",
    "ai_product": "GV-I/O Box 4E",
    "ai_version": "V2.09",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply