CVE Catalog

CVE-2026-12846

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

The GV-I/O Box 4E is an embedded smart device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, potentially leading to unauthorized access or device failure.

Risk Assessment

This vulnerability poses a risk to network security as any user on the network can send messages to the DVRSearch service, which may lead to device takeover or destabilization.

Recommendation

It is recommended to block access to port 10001 on the firewall and update the device firmware to mitigate this vulnerability.

Original NVD description (English source)

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Net Mask field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v6 = strlen(g_network_config->net_mask); memcpy(&reply_buf[184], g_network_config->net_mask, v6);

Vulnerability data from NVD (NIST) · CISA KEV · EPSS