How is CVE-2026-57878 exploited?

Network reachability (required): The attacker must reach the device's thttpd web server over the network; no local or physical access is needed. Authentication (not-required): No account or credentials of any kind are required; the exploit works against the unauthenticated HTTP interface. Victim interaction (not-required): The attacker sends a crafted HTTP request directly; no user on the target device needs to take any action. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply sends an oversized HTTP parameter with no need to win a race or satisfy environmental prerequisites.

What is the impact of CVE-2026-57878?

The attacker achieves arbitrary code execution on the affected device, gaining full control over its runtime environment. All data stored or processed by the device is readable by the attacker, including configuration, credentials, and captured media. The attacker can modify persisted configuration and firmware state on the device. The device process can be crashed at will, causing a denial of service and taking the device offline.

Back to search

CRITICALCVE-2026-57878Published 2026-06-26Modified 2026-06-26CNA GV

CVE-2026-57878: GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (thttpd)

An unauthenticated stack-based buffer overflow vulnerability exists in thttpd in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when processing web request parameters in a specific request path. A remote attacker may exploit this vulnerability by sending a crafted HTTP request with overly long input, resulting in memory corruption, denial of service, or potentially arbitrary code execution.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 1.13
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the thttpd web server component of GeoVision GV-LPC2011 and GV-LPC2211 devices running firmware V1.12 and earlier. The vulnerability is reachable over the network with no authentication required, triggered by sending a crafted HTTP request with an overly long parameter to a specific request path. Successful exploitation causes memory corruption that enables denial of service or arbitrary code execution on the affected device. A patched-image rebuild at firmware version 1.13 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-57878 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images derived from affected GeoVision firmware versions. Any image carrying GV-LPC2011 or GV-LPC2211 firmware at V1.12 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization, prioritized for immediate attention given the critical severity and zero-authentication exploit path.

Available

Patch

A patched-image rebuild at firmware version 1.13 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's thttpd web server over the network; no local or physical access is needed.
AuthenticationNot required
No account or credentials of any kind are required; the exploit works against the unauthenticated HTTP interface.
Victim interactionNot required
The attacker sends a crafted HTTP request directly; no user on the target device needs to take any action.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply sends an oversized HTTP parameter with no need to win a race or satisfy environmental prerequisites.

Blast Radius

The attacker achieves arbitrary code execution on the affected device, gaining full control over its runtime environment.
All data stored or processed by the device is readable by the attacker, including configuration, credentials, and captured media.
The attacker can modify persisted configuration and firmware state on the device.
The device process can be crashed at will, causing a denial of service and taking the device offline.

How HarborGuard Handles This

Available on HarborGuard: images containing GV-LPC2011 or GV-LPC2211 firmware at V1.12 or earlier are matched against this CVE within minutes of the advisory entering upstream feeds, with no additional configuration required. Where compliance policy permits, auto-remediation customers receive a rebuilt image at firmware version 1.13, a regression-test run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS 9.8 Critical severity and routes it to the designated team inbox. Given the zero-authentication, over-the-network exploit path, compensating controls worth considering until the patch is applied include network-policy rules that restrict inbound HTTP access to the device's management interface and egress filtering to limit post-exploitation reach.

See how HarborGuard automates this

Fix available

1.13

Affected packages

GeoVision Inc. / GV-LPCLPC2011/2211
1.12
Fixed in 1.13

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

geovision.com.tw

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available