Overview
CVE-2026-12846 is the second critical stack-based buffer overflow discovered in the GeoVision GV-I/O Box 4E embedded IoT device, achieving a CVSS v3.1 score of 10.0 CRITICAL. Like CVE-2026-12485, it resides in the DVRSearch service's UDP handling, but this vulnerability affects the Net Mask field rather than the IP address field.
Both vulnerabilities were disclosed simultaneously by Cisco Talos on June 24, 2026, alongside a companion OS command injection flaw (CVE-2026-12486). All three affect firmware version 2.09 and are patched in version 2.12.
Technical Details
The DVRSearch service listens by default on UDP port 10001 and does not require authentication from network-connected users. When constructing a reply packet to a discovery query, the service copies the device's stored net mask value into a fixed reply buffer at offset 184 without performing bounds checking:
v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6);As with CVE-2026-12485, the service reads up to 1460 bytes from the network into a local buffer. If the stored net_mask field is overlong, the memcpy writes past the end of the reply buffer, corrupting adjacent stack memory and enabling arbitrary code execution.
| Property | Value |
|---|---|
| CVE | CVE-2026-12846 |
| CVSS v3.1 | 10.0 CRITICAL |
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| Affected Version | GV-I/O Box 4E v2.09 |
| Fixed Version | GV-I/O Box 4E v2.12 |
| Protocol | UDP port 10001 |
| Offset | reply_buf[184] |
Affected Products
- Vendor: GeoVision Inc.
- Product: GV-I/O Box 4E
- Platform: Linux (embedded)
- Vulnerable firmware: V2.09
- Patched firmware: V2.12
Relationship to Other GeoVision CVEs
This CVE is part of a trio of vulnerabilities disclosed simultaneously by Cisco Talos:
| CVE | Type | CVSS | Field |
|---|---|---|---|
| CVE-2026-12485 | Stack Overflow | 10.0 | IP Address (offset 36) |
| CVE-2026-12846 | Stack Overflow | 10.0 | Net Mask (offset 184) |
| CVE-2026-12486 | OS Command Injection | 9.1 | IP Address via system() |
Both stack overflow vulnerabilities are reachable without authentication, making them the highest priority to remediate. The command injection flaw (CVE-2026-12486) requires administrative credentials but can be chained with either stack overflow for full compromise.
Impact
Successful exploitation of CVE-2026-12846 allows a remote, unauthenticated attacker to:
- Execute arbitrary code on the device's embedded Linux OS
- Gain full control of relay outputs and digital inputs, enabling physical infrastructure manipulation
- Achieve lateral network movement from a compromised IoT device
- Cause denial of service by crashing the DVRSearch service
The CVSS Scope:Changed rating indicates the blast radius extends beyond the device itself to connected systems and networks.
Remediation
- Update to firmware V2.12 immediately — this is the vendor-confirmed fix for all three CVEs.
- Block UDP port 10001 at the network perimeter and between security zones to prevent unauthenticated DVRSearch access.
- Isolate GV-I/O Box 4E devices on a dedicated IoT VLAN with no direct internet exposure.
- Monitor for anomalous UDP traffic on port 10001, which may indicate active scanning or exploitation attempts.
- If firmware update is not immediately possible, disable the DVRSearch service via the device configuration interface if the feature is not operationally required.