CVE-2026-12485,CVE-2026-12846,CVE-2026-12847,CVE-2026-12848
Multiple exploitable buffer overflow vulnerabilities exist in the DVRSearch CMD_IP_SET functionality of GV-I/O Box 4E (version(s): 2.09). A specially crafted network request can lead to a arbitrary code execution. An attacker can send a network request to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
GV-I/O Box 4E (version(s): 2.09)
GV-I/O Box 4E - https://www.geovision.com.tw/product/GV-IO%20Box%204E
10 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-121 - Stack-based Buffer Overflow
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
DVRSearch: unhandled page fault (11) at 0x41414140, code 0x80000005
pgd = 86490000
[41414140] *pgd=00000000
Pid: 136, comm: DVRSearch
CPU: 0 Tainted: G O (3.3.0 #44)
PC is at 0x41414140
LR is at 0x76ea1610
pc : [<41414140>] lr : [<76ea1610>] psr: 20000030
sp : 7eed7660 ip : 76f01ebc fp : 41414141
r10: 76f15f70 r9 : 00000000 r8 : 00000000
r7 : 00000008 r6 : 7eed7e20 r5 : 7eed7f7b r4 : 41414141
r3 : 41414141 r2 : 00000009 r1 : ffffffff r0 : 41414141
Flags: nzCv IRQs on FIQs on Mode USER_32 ISA Thumb Segment user
Control: 0000397f Table: 06490000 DAC: 00000015
[<8000ef84>] (unwind_backtrace+0x0/0xf4) from [<8000fc7c>] (__do_user_fault+0x94/0xa0)
[<8000fc7c>] (__do_user_fault+0x94/0xa0) from [<8000fec4>] (do_page_fault+0x1b8/0x360)
[<8000fec4>] (do_page_fault+0x1b8/0x360) from [<80008278>] (do_PrefetchAbort+0x34/0x98)
[<80008278>] (do_PrefetchAbort+0x34/0x98) from [<800098d4>] (ret_from_exception+0x0/0x10)
Exception stack(0x8648bfb0 to 0x8648bff8)
bfa0: 41414141 ffffffff 00000009 41414141
bfc0: 41414141 7eed7f7b 7eed7e20 00000008 00000000 00000000 76f15f70 41414141
bfe0: 76f01ebc 7eed7660 76ea1610 41414140 20000030 ffffffff
The following code is vulnerable to a stack overflow that is attacker-controlled:
v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6);
DVRSearch: unhandled page fault (11) at 0x41414140, code 0x80000005
pgd = 864a0000
[41414140] *pgd=00000000
Pid: 136, comm: DVRSearch
CPU: 0 Tainted: G O (3.3.0 #44)
PC is at 0x41414140
LR is at 0x76f11610
pc : [<41414140>] lr : [<76f11610>] psr: 20000030
sp : 7ec89660 ip : 76f71ebc fp : 41414141
r10: 76f85f70 r9 : 00000000 r8 : 00000000
r7 : 00000008 r6 : 7ec89e20 r5 : 7ec89f7b r4 : 41414141
r3 : 00000001 r2 : 00000009 r1 : ffffffff r0 : 00000001
Flags: nzCv IRQs on FIQs on Mode USER_32 ISA Thumb Segment user
Control: 0000397f Table: 064a0000 DAC: 00000015
[<8000ef84>] (unwind_backtrace+0x0/0xf4) from [<8000fc7c>] (__do_user_fault+0x94/0xa0)
[<8000fc7c>] (__do_user_fault+0x94/0xa0) from [<8000fec4>] (do_page_fault+0x1b8/0x360)
[<8000fec4>] (do_page_fault+0x1b8/0x360) from [<80008278>] (do_PrefetchAbort+0x34/0x98)
[<80008278>] (do_PrefetchAbort+0x34/0x98) from [<800098d4>] (ret_from_exception+0x0/0x10)
Exception stack(0x863a1fb0 to 0x863a1ff8)
1fa0: 00000001 ffffffff 00000009 00000001
1fc0: 41414141 7ec89f7b 7ec89e20 00000008 00000000 00000000 76f85f70 41414141
1fe0: 76f71ebc 7ec89660 76f11610 41414140 20000030 ffffffff
The following code is vulnerable to a stack overflow that is attacker-controlled:
v7 = strlen(g_network_config->gateway);
memcpy(&reply_buf[216], g_network_config->gateway, v7);
DVRSearch: unhandled page fault (11) at 0x41414140, code 0x80000005
pgd = 86498000
[41414140] *pgd=00000000
Pid: 136, comm: DVRSearch
CPU: 0 Tainted: G O (3.3.0 #44)
PC is at 0x41414140
LR is at 0x76e99610
pc : [<41414140>] lr : [<76e99610>] psr: 20000030
sp : 7ef93660 ip : 76ef9ebc fp : 41414141
r10: 76f0df70 r9 : 00000000 r8 : 00000000
r7 : 00000008 r6 : 7ef93e20 r5 : 7ef93f7b r4 : 41414141
r3 : 00000001 r2 : 00000009 r1 : ffffffff r0 : 00000001
Flags: nzCv IRQs on FIQs on Mode USER_32 ISA Thumb Segment user
Control: 0000397f Table: 06498000 DAC: 00000015
[<8000ef84>] (unwind_backtrace+0x0/0xf4) from [<8000fc7c>] (__do_user_fault+0x94/0xa0)
[<8000fc7c>] (__do_user_fault+0x94/0xa0) from [<8000fec4>] (do_page_fault+0x1b8/0x360)
[<8000fec4>] (do_page_fault+0x1b8/0x360) from [<80008278>] (do_PrefetchAbort+0x34/0x98)
[<80008278>] (do_PrefetchAbort+0x34/0x98) from [<800098d4>] (ret_from_exception+0x0/0x10)
Exception stack(0x86483fb0 to 0x86483ff8)
3fa0: 00000001 ffffffff 00000009 00000001
3fc0: 41414141 7ef93f7b 7ef93e20 00000008 00000000 00000000 76f0df70 41414141
3fe0: 76ef9ebc 7ef93660 76e99610 41414140 20000030 ffffffff
The following code is vulnerable to a stack overflow that is attacker-controlled:
v8 = strlen(g_network_config->dns_addr);
memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
DVRSearch: unhandled page fault (11) at 0x41414140, code 0x80000005
pgd = 864ac000
[41414140] *pgd=00000000
Pid: 136, comm: DVRSearch
CPU: 0 Tainted: G O (3.3.0 #44)
PC is at 0x41414140
LR is at 0x76f75610
pc : [<41414140>] lr : [<76f75610>] psr: 20000030
sp : 7eae3660 ip : 76fd5ebc fp : 41414141
r10: 76fe9f70 r9 : 00000000 r8 : 00000000
r7 : 00000008 r6 : 7eae3e20 r5 : 7eae3f7b r4 : 41414141
r3 : 00000001 r2 : 00000009 r1 : ffffffff r0 : 00000001
Flags: nzCv IRQs on FIQs on Mode USER_32 ISA Thumb Segment user
Control: 0000397f Table: 064ac000 DAC: 00000015
[<8000ef84>] (unwind_backtrace+0x0/0xf4) from [<8000fc7c>] (__do_user_fault+0x94/0xa0)
[<8000fc7c>] (__do_user_fault+0x94/0xa0) from [<8000fec4>] (do_page_fault+0x1b8/0x360)
[<8000fec4>] (do_page_fault+0x1b8/0x360) from [<80008278>] (do_PrefetchAbort+0x34/0x98)
[<80008278>] (do_PrefetchAbort+0x34/0x98) from [<800098d4>] (ret_from_exception+0x0/0x10)
Exception stack(0x86473fb0 to 0x86473ff8)
3fa0: 00000001 ffffffff 00000009 00000001
3fc0: 41414141 7eae3f7b 7eae3e20 00000008 00000000 00000000 76fe9f70 41414141
3fe0: 76fd5ebc 7eae3660 76f75610 41414140 20000030 ffffffff
2026-04-21 - Initial Vendor Contact
2026-04-21 - Vendor Disclosure
2026-04-28 - Vendor Patch Release
Philippe Laulheret of Cisco Talos