CVE-2026-35716 - Vulnerability Details

Description

A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries.

Published: 2026-06-02

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A stack‑based buffer overflow exists in the motion_privacy.cgi binary of VIVOTEK FD8136 firmware FD8136-VVTK-0300a. An authenticated remote attacker can send a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoints (all symlinks to the same binary) with an oversized n1 parameter. The parameter value is copied into a fixed‑size 0xa4‑byte stack buffer without bounds checking, overwriting the saved link register, and the binary lacks stack canaries. The resulting vulnerability allows arbitrary code execution with root privileges.

Affected Systems

Only VIVOTEK FD8136 devices that are running firmware version FD8136-VVTK-0300a are affected. This firmware hosts the motion_privacy.cgi binary and the CGI endpoints mentioned in the description.

Risk and Exploitability

The potential impact is severe; an attacker who can authenticate to the device can run arbitrary code as root, compromising the entire camera system. The CVSS score is not publicly available, and the EPSS score is not listed, but due to the nature of the flaw and the absence of mitigation mechanisms such as stack canaries, the likelihood of exploitation in a targeted context remains high. The vulnerability is not listed in the CISA KEV catalog at present, but that does not reduce its risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Vivotek

Fd8136

80%

Version	Status	Scheme	Platform
`FD8136-VVTK-0300a`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Implement a firmware update from VIVOTEK that addresses the buffer overflow in the motion_privacy.cgi binary.
Limit access to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, and /cgi-bin/admin/setmd_profile.cgi endpoints to trusted IP addresses or internal networks.
Block or filter HTTP POST requests that contain an oversized n1 parameter before they reach the camera, using firewall or network security appliances.

Generated by OpenCVE AI on June 2, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://vivotek.com
https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-35716

History

Tue, 02 Jun 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vivotek Vivotek fd8136
Vendors & Products		Vivotek Vivotek fd8136

Tue, 02 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Authenticated Remote Buffer Overflow in VIVOTEK FD8136 Motion Privacy CGI
Weaknesses		CWE-119 CWE-121 CWE-787

Tue, 02 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries.
References		http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-35716

Subscriptions

Vivotek Fd8136

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-06-02T00:00:00.000Z

Updated: 2026-06-02T14:26:13.372Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-35716

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-06-02T16:16:37.187

Modified: 2026-06-02T17:20:35.733

Link: CVE-2026-35716

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T17:30:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object