CVE Catalog

CVE-2026-12848

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile — higher than 34% of all known CVEs

Summary

The GV-I/O Box 4E is a smart embedded device that supports communication over Ethernet and RS-485. The DVRSearch service, running by default on port 10001, is vulnerable to a stack overflow that can be exploited by an attacker to execute malicious code.

Risk Assessment

An attacker on the network can send a specially crafted UDP message, leading to buffer overflow and potential control over the device. This poses a serious threat to network and data security.

Recommendation

It is recommended to block access to port 10001 and update the device firmware to patch this vulnerability. Additionally, monitor network traffic for potential attack attempts.

Original NVD description (English source)

GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485. DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it. Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable: #### DNS field stack overflow The following code is vulnerable to a stack overflow that is attacker-controlled: v8 = strlen(g_network_config->dns_addr); memcpy(&reply_buf[248], g_network_config->dns_addr, v8);

Vulnerability data from NVD (NIST) · CISA KEV · EPSS