Executive Summary
A critical stack overflow vulnerability (CVE-2026-12846) with a CVSS score of 10 has been discovered in GeoVision GV-I/O Box 4E, a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. The vulnerability affects version V2.09 and can be exploited by sending a crafted UDP message to the DVRSearch service listening on port 10001. This vulnerability allows an attacker to potentially achieve arbitrary code execution, confidentiality, integrity, and availability impacts.
Technical Analysis
The vulnerability is classified as a stack overflow (CWE-121). The DVRSearch service, running by default on the IOBox and listening for UDP messages on port 10001, is vulnerable. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer, and a pointer to the buffer is stored in a global variable. Specifically, the code is vulnerable in the handling of the 'Net Mask' field, where a strlen() of g_network_config->net_mask is used to calculate the length for a memcpy() operation into a reply buffer (reply_buf). An attacker can control the length and content of g_network_config->net_mask, leading to a potential stack overflow.
How It Gets Exploited
An unauthenticated remote attacker on the same network can send a crafted UDP message to the DVRSearch service listening on port 10001. The message can be crafted to overflow the stack by providing a specially designed 'Net Mask' field that exceeds the buffer size, causing the memcpy() operation to write beyond the buffer bounds. This can lead to the corruption of the call stack, allowing an attacker to potentially execute arbitrary code, escalate privileges, or cause a denial-of-service condition.
Impact Assessment
The vulnerability affects GeoVision GV-I/O Box 4E version V2.09. An attacker can achieve arbitrary code execution, confidentiality, integrity, and availability impacts, with a CVSS score of 10 indicating critical severity. The vulnerability has not been reported to be actively exploited.
Recommended Actions
- Update GeoVision GV-I/O Box 4E to version V2.12 or later.
- Block UDP port 10001 at the network perimeter to limit exposure, if possible.
- Implement network segmentation to isolate vulnerable devices from critical networks.
- Monitor network traffic for suspicious UDP messages on port 10001.
Sources
- National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2026-12846
- Talos Intelligence - https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377
- GeoVision Cyber Security Page - https://www.geovision.com.tw/cyber_security.php