CVE-2026-57273,CVE-2026-57274,CVE-2026-57275,CVE-2026-57276,CVE-2026-57277,CVE-2026-57278
Multiple exploitable stack-based buffer overflow vulnerabilities exist in the Websocket Server connectInfo handler functionality of GeoWebPlayer (version(s): 1.1.1.0). A specially crafted websocket message can lead to a arbitrary code execution. An attacker can stage a malicious webpage to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GeoWebPlayer (version(s): 1.1.1.0)
GeoWebPlayer - http://ovision.com.tw/
8.3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
GeoWebPlayer (also called “Web Plugin” in the GV-VMS documentation and “WS Player” for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, …). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.
In this function, we can see that an overflow of the conn_info.username buffer can occur if the JSON username field exceeds the buffer size (64 bytes). This code path is reached when no key variable is provided:
v16 = get_entry(json_root, "username");
if ( json_is_value_str(v16) )
{
v17 = get_entry(json_root, "username");
v56 = (std_string *)json_value_to_string(v17, (int)&username_obj_str);
v55 = std_string_get_buffer_(v56);
username = conn_info.username;
v53 = conn_info.username;
do
{
v52 = *v55;
*username = v52;
v55 = ((char *)v55 + 1);
++username;
}
while ( v52 );
string_cleanup(&username_obj_str);
}
In this function, we can see that an overflow of the conn_info.password buffer can occur if the JSON password field exceeds the buffer size (64 bytes). This code path is reached when no key variable is provided:
v18 = get_entry(json_root, "password");
if ( json_is_value_str(v18) )
{
v19 = get_entry(json_root, "password");
v51 = (std_string *)json_value_to_string(v19, (int)&password_obj_str);
v50 = std_string_get_buffer_(v51);
password = conn_info.password;
v48 = conn_info.password;
do
{
v47 = *v50;
*password = v47;
++v50;
++password;
}
while ( v47 );
string_cleanup(&password_obj_str);
}
In this function, we can see that an overflow of the username_enc buffer can occur if the JSON username field exceeds the buffer size (128 bytes). This code path is reached when a key variable is provided:
memset(username_enc, 0, sizeof(username_enc));
v12 = get_entry(json_root, "username");
if ( json_is_value_str(v12) )
{
v13 = get_entry(json_root, "username");
v66 = (std_string *)json_value_to_string(v13, (int)&v98);
v65 = std_string_get_buffer_(v66);
v64 = username_enc;
v63 = username_enc;
do
{
v62 = *v65;
*v64 = v62;
++v65;
++v64;
}
while ( v62 );
string_cleanup(&v98);
}
In this function, we can see that an overflow of the password_enc buffer can occur if the JSON pasword field exceeds the buffer size (128 bytes). This code path is reached when a key variable is provided:
memset(password_enc, 0, sizeof(password_enc));
v14 = get_entry(json_root, "password");
if ( json_is_value_str(v14) )
{
v15 = get_entry(json_root, "password");
v61 = (std_string *)json_value_to_string(v15, (int)&v97);
v60 = std_string_get_buffer_(v61);
v59 = password_enc;
v58 = password_enc;
do
{
v57 = v60->field_0;
*v59 = v57;
v60 = (std_string *)((char *)v60 + 1);
++v59;
}
while ( v57 );
string_cleanup(&v97);
In this function, we can see that an overflow of the key_blob buffer can occur if the JSON key field exceeds the buffer size (17 bytes):
memset(key_blob, 0, sizeof(key_blob)); //defined as char key_blob[17]
v70 = get_string_buffer(&key_obj_str);
p_key_blob = &key_blob;
v68 = &key_blob;
do
{
v67 = *v70;
*p_key_blob = v67;
++v70;
++p_key_blob;
}
while ( v67 );
In this function, we can see that an overflow of the conn_info.ip_or_host buffer can occur if the JSON ip field exceeds the buffer size (256 bytes):
v4 = get_entry(json_root, "ip");
if ( json_is_value_str(v4) )
{
v5 = get_entry(json_root, "ip");
v75 = (std_string *)json_value_to_string(v5, (int)&v99);
buffer = std_string_get_buffer_(v75);
p_conn_info = (char *)&conn_info.ip_or_host;
v72 = &conn_info;
do
{
v71 = *buffer;
*p_conn_info = v71;
++buffer;
++p_conn_info;
}
while ( v71 );
string_cleanup(&v99);
}
2026-03-25 - Initial Vendor Contact
2026-04-21 - Vendor Disclosure
2026-04-28 - Vendor Patch Release
2026-07-01 - Public Release
Philippe Laulheret of Cisco Talos