PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12848 GeoVision Inc. CVE debrief

CVE-2026-12848 is a critical stack overflow vulnerability in the GV-I/O Box 4E, a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. The vulnerability exists in the DVRSearch service, which runs by default on the IOBox and listens for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable. The code is vulnerable to a stack overflow that is attacker-controlled due to a memcpy operation with a user-controlled length. This vulnerability has a CVSS score of 10 and a severity of CRITICAL. The CVE was published on 2026-06-24T05:17:26.710Z and last modified on 2026-06-25T14:02:35.347Z.

Vendor
GeoVision Inc.
Product
GV-I/O Box 4E
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-25
Advisory published
2026-06-24
Advisory updated
2026-06-25

Who should care

Organizations using the GV-I/O Box 4E device should prioritize patching this vulnerability to prevent potential attacks. The device's ability to be controlled over Ethernet and RS-485 increases its attack surface, making it a potential target for threat actors. Additionally, the vulnerability's critical severity and ease of exploitation make it a high-risk issue that requires immediate attention.

Technical summary

The vulnerability exists in the DVRSearch service of the GV-I/O Box 4E device. The service listens for UDP messages on port 10001 and allows any user on the network to send messages and interact with it. When a UDP message is received, the server reads at most 1460 bytes into a local buffer and stores a pointer to the buffer in a global variable. The code is vulnerable to a stack overflow due to a memcpy operation with a user-controlled length. Specifically, the code uses strlen(g_network_config->dns_addr) to determine the length of the dns_addr string, which is then used in a memcpy operation to copy the string into a local buffer. This allows an attacker to control the length of the string and potentially overflow the stack.

Defensive priority

This vulnerability has a high defensive priority due to its critical severity, ease of exploitation, and potential impact on the device's availability and integrity. Organizations should prioritize patching this vulnerability to prevent potential attacks.

Recommended defensive actions

  • Apply the vendor's patch or update as soon as possible to prevent exploitation of this vulnerability.
  • Limit access to the GV-I/O Box 4E device to only necessary personnel and networks.
  • Monitor network traffic to and from the device for suspicious activity.
  • Consider implementing compensating controls, such as network segmentation or intrusion detection systems, to detect and prevent potential attacks.
  • Perform regular vulnerability scans and penetration testing to identify and address potential vulnerabilities in the device and surrounding infrastructure.

Evidence notes

The CVE-2026-12848 vulnerability was discovered and reported by Talos Intelligence. The vulnerability is tracked in the National Vulnerability Database (NVD) and has a CVSS score of 10. The vendor, GeoVision, has not provided a canonical source or confidence level for this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.