CVE Catalog

CVE-2026-12847

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

The GV-I/O Box 4E is a smart embedded device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, leading to potential buffer overflow.

Risk Assessment

This vulnerability may allow an attacker to execute remote code or destabilize the device, potentially leading to serious security implications for the network.

Recommendation

It is recommended to restrict access to the DVRSearch service and implement input validation to prevent stack overflow.

Original NVD description (English source)

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);

Vulnerability data from NVD (NIST) · CISA KEV · EPSS