CVE-2026-12485 | GV-I/O Box 4E is a smart embedded device with 4 input and 4 … | CVSS 10.0 CRITICAL

Description

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### IP field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v3 = strlen(g_network_config->ip_addr); memcpy(&reply_buf[36], g_network_config->ip_addr, v3);

Metadata

CVE ID: CVE-2026-12485
State: PUBLISHED
Assigner: GV
Reserved: 2026-06-17 03:09 UTC
Published: 2026-06-24 03:34 UTC
Last updated: 2026-06-24 03:34 UTC
Primary CWE: CWE-121
CWE-121 Stack-based buffer overflow
Vendor / Product: GeoVision Inc. / GV-I/O Box 4E
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
GeoVision Inc.	GV-I/O Box 4E	Linux	V2.09, v2.12

Weakness (CWE)

CWE	Source	Description
CWE-121	cna	CWE-121 Stack-based buffer overflow

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (2)