How is CVE-2026-57879 exploited?

Network reachability (required): The attacker must reach the device's RTSP service over the network; no local or physical access is needed. Authentication (not-required): No credentials are needed; the vulnerable RTSP code path is accessible before any authentication handshake completes. Victim interaction (not-required): Exploitation is entirely attacker-driven; no user or administrator action on the target device is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environment-specific layout knowledge.

What is the impact of CVE-2026-57879?

An attacker can execute arbitrary code on the device, gaining full control over camera functions, stored footage, and any credentials held in memory. An attacker can read sensitive data held in the device process, including authentication tokens and network configuration. An attacker can modify device state or configuration, redirecting video streams or disabling recording. An attacker can crash the ssvr process or the device entirely, cutting off camera feeds and triggering a denial of service.

Back to search

CRITICALCVE-2026-57879Published 2026-06-26Modified 2026-06-26CNA GV

CVE-2026-57879: GV-LPC2011/LPC2211 - unauthorized buffer overflow via AuthMode/AuthValue path (ssvr)

An unauthenticated stack-based buffer overflow vulnerability exists in ssvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when processing RTSP custom authentication data. A remote attacker may exploit this vulnerability by sending a crafted RTSP request, resulting in memory corruption, denial of service, or potentially arbitrary code execution.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 1.13
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the ssvr component of GeoVision GV-LPC2011 and GV-LPC2211 network cameras running firmware V1.12 and earlier. The flaw is reachable over the network with no authentication required, triggered by sending a crafted RTSP request with oversized AuthMode or AuthValue data that exceeds the bounds of a fixed stack buffer. Successful exploitation corrupts memory and can lead to arbitrary code execution, denial of service, or full device compromise. A patched-image rebuild at firmware version 1.13 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle this firmware or its components.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to surface it at the appropriate severity tier; routing rules then send the finding to the correct team inbox within the affected customer organization.

Available

Patch

A patched-image rebuild at version 1.13 becomes available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard automatically triggers the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the device's RTSP service over the network; no local or physical access is needed.
AuthenticationNot required
No credentials are needed; the vulnerable RTSP code path is accessible before any authentication handshake completes.
Victim interactionNot required
Exploitation is entirely attacker-driven; no user or administrator action on the target device is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environment-specific layout knowledge.

Blast Radius

An attacker can execute arbitrary code on the device, gaining full control over camera functions, stored footage, and any credentials held in memory.
An attacker can read sensitive data held in the device process, including authentication tokens and network configuration.
An attacker can modify device state or configuration, redirecting video streams or disabling recording.
An attacker can crash the ssvr process or the device entirely, cutting off camera feeds and triggering a denial of service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-57879 is active and matches any image in a customer registry or pipeline that includes GV-LPC2011 or GV-LPC2211 firmware at V1.12 or earlier. A rebuilt image at the patched version 1.13 is made available as soon as the affected image is identified. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a PR against affected workloads automatically; median time from CVE publication to a merged patch PR for critical-severity issues is around 90 minutes in those environments. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and a direct link to the rebuilt image. Given the unauthenticated network exposure and critical severity, teams that have not yet enabled auto-remediation should treat this as a high-priority manual review.

See how HarborGuard automates this

Fix available

1.13

Affected packages

GeoVision Inc. / GV-LPCLPC2011/2211
1.12
Fixed in 1.13

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

geovision.com.tw

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available