Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-12846: GeoVision GV-I/O Box 4E UDP Stack Overflow (Net Mask Field)
CVE-2026-12846: GeoVision GV-I/O Box 4E UDP Stack Overflow (Net Mask Field)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-12846

CVE-2026-12846: GeoVision GV-I/O Box 4E UDP Stack Overflow (Net Mask Field)

A second critical CVSS 10.0 stack-based buffer overflow in GeoVision GV-I/O Box 4E firmware 2.09 — this time in the Net Mask field handling of the...

Dylan H.

Security Team

June 24, 2026
3 min read

Affected Products

  • GeoVision GV-I/O Box 4E v2.09

Overview

CVE-2026-12846 is the second critical stack-based buffer overflow discovered in the GeoVision GV-I/O Box 4E embedded IoT device, achieving a CVSS v3.1 score of 10.0 CRITICAL. Like CVE-2026-12485, it resides in the DVRSearch service's UDP handling, but this vulnerability affects the Net Mask field rather than the IP address field.

Both vulnerabilities were disclosed simultaneously by Cisco Talos on June 24, 2026, alongside a companion OS command injection flaw (CVE-2026-12486). All three affect firmware version 2.09 and are patched in version 2.12.

Technical Details

The DVRSearch service listens by default on UDP port 10001 and does not require authentication from network-connected users. When constructing a reply packet to a discovery query, the service copies the device's stored net mask value into a fixed reply buffer at offset 184 without performing bounds checking:

v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6);

As with CVE-2026-12485, the service reads up to 1460 bytes from the network into a local buffer. If the stored net_mask field is overlong, the memcpy writes past the end of the reply buffer, corrupting adjacent stack memory and enabling arbitrary code execution.

PropertyValue
CVECVE-2026-12846
CVSS v3.110.0 CRITICAL
VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWECWE-121 (Stack-based Buffer Overflow)
Affected VersionGV-I/O Box 4E v2.09
Fixed VersionGV-I/O Box 4E v2.12
ProtocolUDP port 10001
Offsetreply_buf[184]

Affected Products

  • Vendor: GeoVision Inc.
  • Product: GV-I/O Box 4E
  • Platform: Linux (embedded)
  • Vulnerable firmware: V2.09
  • Patched firmware: V2.12

Relationship to Other GeoVision CVEs

This CVE is part of a trio of vulnerabilities disclosed simultaneously by Cisco Talos:

CVETypeCVSSField
CVE-2026-12485Stack Overflow10.0IP Address (offset 36)
CVE-2026-12846Stack Overflow10.0Net Mask (offset 184)
CVE-2026-12486OS Command Injection9.1IP Address via system()

Both stack overflow vulnerabilities are reachable without authentication, making them the highest priority to remediate. The command injection flaw (CVE-2026-12486) requires administrative credentials but can be chained with either stack overflow for full compromise.

Impact

Successful exploitation of CVE-2026-12846 allows a remote, unauthenticated attacker to:

  • Execute arbitrary code on the device's embedded Linux OS
  • Gain full control of relay outputs and digital inputs, enabling physical infrastructure manipulation
  • Achieve lateral network movement from a compromised IoT device
  • Cause denial of service by crashing the DVRSearch service

The CVSS Scope:Changed rating indicates the blast radius extends beyond the device itself to connected systems and networks.

Remediation

  1. Update to firmware V2.12 immediately — this is the vendor-confirmed fix for all three CVEs.
  2. Block UDP port 10001 at the network perimeter and between security zones to prevent unauthenticated DVRSearch access.
  3. Isolate GV-I/O Box 4E devices on a dedicated IoT VLAN with no direct internet exposure.
  4. Monitor for anomalous UDP traffic on port 10001, which may indicate active scanning or exploitation attempts.
  5. If firmware update is not immediately possible, disable the DVRSearch service via the device configuration interface if the feature is not operationally required.

References

  • Cisco Talos Advisory TALOS-2026-2377
  • GeoVision Cyber Security Page
  • NVD Entry — CVE-2026-12846
  • CVE-2026-12485 (companion — IP address overflow)
  • CVE-2026-12486 (companion — command injection)
#CVE#GeoVision#IoT#Buffer Overflow#Remote Code Execution#Embedded Device#UDP

Related Articles

CVE-2026-12485: GeoVision GV-I/O Box 4E UDP Stack Overflow (IP Address Field)

A critical CVSS 10.0 stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated remote attackers to achieve...

3 min read

CVE-2026-12486: GeoVision GV-I/O Box 4E OS Command Injection via libNetSetObj.so

Multiple OS command injection vulnerabilities in GeoVision GV-I/O Box 4E firmware 2.09 allow attackers with network access to execute arbitrary system...

3 min read

CVE-2026-52186: Critical SQL Injection RCE in UTT nv518G Router

A critical SQL injection vulnerability (CVSS 9.8) in the UTT nv518G router allows unauthenticated remote attackers to execute arbitrary code via the...

3 min read
Back to all Security Alerts