HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12848Published Modified CNA GV

CVE-2026-12848: GeoVision GV-I/O Box DVRSearch buffer overflow vulnerabilities in CMD_IP_SET command

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### DNS field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v8 = strlen(g_network_config->dns_addr); memcpy(&reply_buf[248], g_network_config->dns_addr, v8);

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
v2.12
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow affects the GeoVision GV-I/O Box 4E embedded device running firmware V2.09, specifically in the DVRSearch service that listens for UDP messages on port 10001 by default. The service is reachable over the network without any authentication, and the overflow is triggered via a crafted CMD_IP_SET command that causes attacker-controlled data to overflow a stack buffer through an unchecked memcpy of a DNS address field. Successful exploitation gives an attacker full control over the device, including the ability to read sensitive data, modify device state and relay outputs, and crash or hijack the service. A patched-image rebuild at firmware v2.12 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-12848 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that incorporate this firmware or derived layers. Any container image embedding the affected GV-I/O Box firmware version is flagged automatically during both registry scans and CI/CD pipeline runs.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and surfaces it at the top of each affected environment's findings queue, weighted further by any compliance policy rules the customer has configured for network-exposed or critical-severity issues. Triage routing directs the finding to the appropriate team inbox within each customer organization based on image ownership and policy settings.

Available
Patch

A patched-image rebuild at firmware v2.12 becomes available on HarborGuard the moment the upstream fix version is resolved against affected image layers. For customers with auto-remediation enabled, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send UDP packets to port 10001 on the target device over the network; no prior foothold on the host is required.

  • AuthenticationNot required

    The DVRSearch service accepts UDP messages from any host on the network with no authentication or session credential required.

  • Victim interactionNot required

    Exploitation is fully passive from the victim side; no user action, click, or approval is needed to trigger the overflow.

  • Attack complexityDetail

    The exploit is reliable and condition-free; the attacker sends a single crafted UDP packet and the overflow occurs deterministically without needing to win a race condition or satisfy environmental prerequisites.

Blast Radius

  • Reads arbitrary memory from the device stack frame, potentially exposing network configuration secrets including stored credentials and the DNS address field used in the overflow.
  • Overwrites the stack return address with attacker-supplied data, enabling arbitrary code execution in the context of the DVRSearch service process.
  • Modifies device relay outputs and input/output configuration, allowing physical control over whatever equipment is wired to the four relays.
  • Crashes or permanently hijacks the DVRSearch service, denying legitimate management access to the device over Ethernet.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12848 is active across all scanned environments, matching images against the affected GV-I/O Box firmware version V2.09 within minutes of CVE publication. For environments where container images embed or derive from this firmware, a patched rebuild at v2.12 is available. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the fix version, runs a regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. Where auto-remediation is not enabled or where compliance policy requires manual approval, HarborGuard surfaces the finding as a critical-priority item in the triage queue with full CVSS context. As an interim compensating control while a patch is being scheduled, customers can apply a network policy to restrict UDP access to port 10001 to trusted management hosts only, significantly reducing the attack surface given the no-authentication, over-network exposure of this vulnerability.

See how HarborGuard automates this

Fix available

v2.12
Affected packages
  • GeoVision Inc. / GV-I/O Box 4E
    V2.09
    Fixed in v2.12
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References