Executive Summary
A high-severity vulnerability, CVE-2026-57264, with a CVSS score of 8.3, has been identified in GeoWebPlayer, an addon for various GeoVision software products. This vulnerability allows for out-of-bound access to arrays via a websocket server command, potentially leading to arbitrary code execution. The affected version is V1.1.1.0 running on Windows and 64-bit platforms.
Technical Analysis
The vulnerability is classified as an out-of-bound array access issue (CWE-129). GeoWebPlayer creates a websocket server that accepts commands from localhost, some of which utilize an `index` value to access arrays for critical operations. However, this `index` value is not validated for a valid range, allowing it to access arrays out-of-bound. Specifically, the `setPIP` command is affected by this issue.
How It Gets Exploited
An attacker would need to be able to send commands to the websocket server running on localhost. This could potentially be achieved if the attacker has network access to the system running GeoWebPlayer or if they can exploit another vulnerability to gain local access. The attacker would send a crafted command, specifically the `setPIP` command, with an `index` value that exceeds the valid range for the targeted array. This would allow the attacker to access memory outside the array bounds, potentially leading to arbitrary code execution.
Impact Assessment
The vulnerability affects GeoWebPlayer version V1.1.1.0 on Windows and 64-bit platforms. Successful exploitation could allow an attacker to achieve arbitrary code execution, leading to high impacts on confidentiality, integrity, and availability (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). The CVSS score of 8.3 indicates a high severity level.
Recommended Actions
- Update GeoWebPlayer to version V1.1.3.0 or later to mitigate the vulnerability.
- Ensure that GeoWebPlayer is not exposed to untrusted networks or systems.
- Implement network segmentation to limit access to the system running GeoWebPlayer.
- Monitor for suspicious websocket traffic or commands to the GeoWebPlayer server.
Sources
- National Vulnerability Database (NVD)
- TALOS-2026-2373
- GeoVision cybersecurity updates