{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-12847: GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-12847","status":"final","version":"1","initial_release_date":"2026-06-24T03:34:28.215Z","current_release_date":"2026-06-24T13:16:38.193Z","revision_history":[{"date":"2026-06-24T03:34:28.215Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Gateway field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v7 = strlen(g_network_config->gateway);\n\n      memcpy(&reply_buf[216], g_network_config->gateway, v7);","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-12847 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-12847"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-12847"},{"category":"external","summary":"geovision.com.tw","url":"https://www.geovision.com.tw/cyber_security.php"},{"category":"external","summary":"talosintelligence.com","url":"https://talosintelligence.com/vulnerability_reports/TALOS-2026-2377"}]},"product_tree":{"branches":[{"category":"vendor","name":"GeoVision Inc.","branches":[{"category":"product_name","name":"GV-I/O Box 4E","branches":[{"category":"product_version","name":"V2.09","product":{"name":"GeoVision Inc. GV-I/O Box 4E V2.09","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:geovision_inc.:gv-i\\/o_box_4e:v2.09:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"v2.12","product":{"name":"GeoVision Inc. GV-I/O Box 4E v2.12","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:geovision_inc.:gv-i\\/o_box_4e:v2.09:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-12847","title":"GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command","notes":[{"category":"description","text":"GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.\n\nDVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. \n\n\n\nUpon receiving a UDP message,  the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:\n\n\n#### Gateway field stack overflow\n\nThe following code is vulnerable to a stack overflow that is attacker-controlled:\n\n\n\n      v7 = strlen(g_network_config->gateway);\n\n      memcpy(&reply_buf[216], g_network_config->gateway, v7);","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: v2.12.","product_ids":["CSAFPID-1"]}]}]}