HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12846Published Modified CNA GV

CVE-2026-12846: GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
v2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the DVRSearch service of the GeoVision GV-I/O Box 4E embedded device, specifically triggered by a crafted CMD_IP_SET UDP message sent to port 10001. The service is reachable over the network with no authentication required, and any host that can send UDP packets to the device can trigger the flaw. Successful exploitation gives an attacker full control over the affected device, enabling arbitrary code execution with access to all stored data, the ability to modify device configuration and relay outputs, and the ability to crash or destabilize the service. A patched-image rebuild at v2.12 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-12846 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected GV-I/O Box firmware or derived components.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) using the published v3.1 vector and applies per-environment compliance policy weighting to determine urgency and routing, ensuring findings reach the appropriate team inbox within each customer organization without requiring manual prioritization.

Available
Patch

A patched-image rebuild at v2.12 is available on HarborGuard for any environment where an affected v2.09 image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send UDP packets to port 10001 on the target device over the network; no physical or local access is required.

  • AuthenticationNot required

    The DVRSearch service accepts messages from any network host without any credentials or session establishment.

  • Victim interactionNot required

    Exploitation is fully attacker-driven; no user action or interaction on the device side is needed to trigger the overflow.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the overflow is triggered deterministically by a single crafted UDP packet with no dependency on timing, memory layout guessing, or environmental state.

Blast Radius

  • An attacker gains the ability to execute arbitrary code on the device with the privileges of the DVRSearch service process.
  • All data stored on or accessible through the device, including network configuration and credentials, is readable by the attacker.
  • The attacker can modify device configuration and directly control the four relay outputs, enabling physical-world manipulation of connected equipment.
  • The attacker can crash the DVRSearch service or render the device unresponsive, disrupting Ethernet and RS-485 control availability.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a customer registry or pipeline that carries the affected GV-I/O Box 4E firmware at v2.09. Because this is a Critical-severity issue (CVSS 10.0), it is surfaced at the top of the findings queue and routed according to each environment's compliance policy. A rebuild at v2.12 is available immediately for affected images. For customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is queued for manual review with remediation guidance pointing to the v2.12 upgrade. Until the upgrade is applied, compensating controls include restricting UDP access to port 10001 via network policy (firewall rules or Kubernetes NetworkPolicy), isolating the device to a dedicated VLAN or segment inaccessible from untrusted hosts, and applying egress filtering to limit lateral movement if the device is compromised.

See how HarborGuard automates this

Fix available

v2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in v2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References