How is CVE-2026-12192 exploited?

Network reachability (info): The attacker must be on the same local network, adjacent segment, or connected VPN as the target device; remote internet-based access is not sufficient. Authentication (not-required): No credentials or account of any privilege level are needed to reach the vulnerable web server endpoint. Victim interaction (not-required): The attacker can trigger the buffer overflow without any action from a user on the target device. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental setup required.

What is the impact of CVE-2026-12192?

A successful attacker reads all data accessible to the web server process, including stored credentials, session tokens, and camera configuration. The attacker can write or modify device configuration, potentially redirecting video feeds or altering access control settings. The web server process can be crashed, making the device management interface unavailable and potentially disrupting camera operation. With full confidentiality, integrity, and availability impact on the device, the attacker can use it as a foothold for further lateral movement within the local network segment.

Back to search

HIGHCVE-2026-12192Published 2026-06-14Modified 2026-06-14CNA VulDB

CVE-2026-12192: GALAYOU Y4 Web Server buffer overflow

A vulnerability was determined in GALAYOU Y4 1.0.0. Impacted is an unknown function of the component Web Server. This manipulation causes buffer overflow. The attack is only possible within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A buffer overflow vulnerability affects the web server component of the GALAYOU Y4 firmware version 1.0.0. The flaw is reachable from the local network (LAN, adjacent segment, or VPN) without any authentication required. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the device, including the ability to read stored data, tamper with device state, and crash or take over the service. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the GALAYOU Y4 firmware or its web server component. Any image layer containing the affected 1.0.0 artifact will surface a finding automatically.

Available

Triage

HarborGuard scores this finding at CVSS 4.0 8.7 (High) and weights it against each customer organization's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer org based on configured policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor ships a corrected release. In the interim, the open finding remains active and visible in the customer dashboard so affected images are not silently deprioritized.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on the same local network, adjacent segment, or connected VPN as the target device; remote internet-based access is not sufficient.
AuthenticationNot required
No credentials or account of any privilege level are needed to reach the vulnerable web server endpoint.
Victim interactionNot required
The attacker can trigger the buffer overflow without any action from a user on the target device.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental setup required.

Blast Radius

A successful attacker reads all data accessible to the web server process, including stored credentials, session tokens, and camera configuration.
The attacker can write or modify device configuration, potentially redirecting video feeds or altering access control settings.
The web server process can be crashed, making the device management interface unavailable and potentially disrupting camera operation.
With full confidentiality, integrity, and availability impact on the device, the attacker can use it as a foothold for further lateral movement within the local network segment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12192 is active and will flag any image in a customer registry or CI pipeline that includes the GALAYOU Y4 1.0.0 web server component. Because no vendor patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and a PR opened against affected workloads, the moment an upstream fix is published. In the interim, recommended compensating controls include network policy isolation to restrict access to the device's web server port to trusted hosts only, egress filtering to limit what the device can reach if compromised, and auditing whether any images in your registry bundle this firmware version. The open finding remains visible and active in the HarborGuard dashboard until a patch is available.

See how HarborGuard automates this

Affected packages

GALAYOU / Y4
1.0.0

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Metrics

Get notified