Executive Summary
A critical unauthenticated stack-based buffer overflow has been disclosed in the ssvr RTSP streaming daemon of GeoVision GV-LPC2011 and GV-LPC2211 cameras (firmware V1.12 and earlier). Assigned CVE-2026-57880 with a CVSS score of 9.8 (Critical), this vulnerability specifically occurs during parsing of RTSP Digest authentication fields, allowing an unauthenticated remote attacker to execute arbitrary code on affected devices.
CVSS Score: 9.8 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-57880 |
| CVSS Score | 9.8 (Critical) |
| Type | Stack-Based Buffer Overflow |
| Component | ssvr (RTSP streaming server) — Digest authentication parser |
| Attack Vector | Network |
| Authentication | None required |
| Privileges Required | None |
| User Interaction | None |
| Availability Impact | High |
| Confidentiality Impact | High |
| Integrity Impact | High |
Root Cause
This vulnerability is distinct from CVE-2026-57879 in that it targets the Digest authentication parsing logic within the same ssvr component, rather than custom authentication data. RTSP Digest authentication (modeled after HTTP Digest Auth — RFC 2617) involves multiple fields such as username, realm, nonce, uri, and response. The ssvr daemon fails to validate the length of one or more of these fields before copying them into stack-allocated buffers, enabling an overflow that can corrupt the return address and hijack execution flow.
Affected Products
| Product | Affected Firmware | Fixed Version |
|---|---|---|
| GeoVision GV-LPC2011 | V1.12 and earlier | TBD |
| GeoVision GV-LPC2211 | V1.12 and earlier | TBD |
Technical Analysis
Digest Authentication as an Attack Surface
RTSP Digest authentication is a challenge-response mechanism intended to protect streaming access. During the authentication handshake:
- Client sends an initial RTSP request (e.g.,
DESCRIBE). - Server responds with
401 Unauthorizedand aWWW-Authenticate: Digest realm=...header. - Client re-sends the request with an
Authorization: Digest ...header containing fields likeusername,realm,nonce,uri,response, andopaque.
The GeoVision ssvr daemon parses these Authorization: Digest fields without bounds checking. By crafting a request with an oversized value in one or more Digest fields, an attacker can:
- Overflow a stack buffer during field parsing
- Overwrite adjacent stack memory including the return address
- Redirect execution to attacker-controlled code
This attack occurs at the authentication processing stage — before any valid credential check — meaning no prior authentication is needed to trigger the vulnerability.
Relationship to CVE-2026-57879
Both CVE-2026-57879 and CVE-2026-57880 affect the ssvr component and are stack-based buffer overflows exploitable via RTSP. They differ in the specific code path triggered:
- CVE-2026-57879: Overflow in custom authentication data processing
- CVE-2026-57880: Overflow in standard RTSP Digest authentication field parsing
Both must be treated as independent vulnerabilities requiring separate analysis in exploit development and patch verification.
Risk Assessment
Exposure Profile
- RTSP (port 554) is widely opened on firewalls for camera streaming
- Digest authentication was intended as a security improvement over basic auth but becomes an attack vector here
- Cameras are frequently deployed at critical physical security points (entrances, parking, access control)
- Attackers could use a compromised camera as a stealthy internal network foothold
Business Impact
| Impact Category | Description |
|---|---|
| Physical Security | Disable or tamper with license plate recognition and surveillance |
| Data Breach | Access captured plate images and recognition logs |
| Network Infiltration | Use camera as pivot point into corporate LAN |
| Service Disruption | Crash or brick camera via uncontrolled overflow |
Remediation
Priority Actions
- Apply firmware patches from GeoVision upon release — verify V1.13 or later addresses CVE-2026-57880.
- Block RTSP access (TCP 554) at perimeter and internal firewalls for camera segments.
- Require VPN for all remote camera viewing — do not expose RTSP directly.
- Network segment cameras on a dedicated IoT VLAN with egress filtering.
- Audit current exposure — scan for GeoVision LPC cameras reachable from internet or corporate WAN.
Compensating Controls
| Control | Effectiveness |
|---|---|
| Firewall block on TCP 554 | Eliminates remote exploitability |
| VLAN isolation | Limits lateral movement post-compromise |
| IDS signature for oversized RTSP Digest fields | Detects active exploitation attempts |
| Firmware monitoring | Alerts when vendor patch becomes available |
Key Takeaways
- CVSS 9.8 Critical — Unauthenticated RCE via RTSP Digest authentication parsing flaw.
- Authentication mechanisms can themselves be attack surfaces when implementations lack bounds checking.
- Part of a four-CVE cluster affecting GeoVision LPC cameras — treat as a systemic firmware quality issue.
- RTSP port 554 is commonly exposed — urgently review firewall rules for all GeoVision camera deployments.
- Patch and isolate pending GeoVision firmware release.
References
- NVD — CVE-2026-57880
- RFC 2617 — HTTP Authentication: Basic and Digest Access Authentication
- GeoVision Official Website