CVE-2026-12847
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
The GV-I/O Box 4E is a smart embedded device that is vulnerable to stack overflow due to improper handling of UDP messages. An attacker can send a specially crafted message, leading to potential buffer overflow.
Risk Assessment
This vulnerability may allow an attacker to execute remote code or destabilize the device, potentially leading to serious security implications for the network.
Recommendation
It is recommended to restrict access to the DVRSearch service and implement input validation to prevent stack overflow.
Original NVD description (English source)
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### Gateway field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v7 = strlen(g_network_config->gateway); memcpy(&reply_buf[216], g_network_config->gateway, v7);

