Description
An unauthenticated
NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
improper validation of multipart upload headers when processing
certificate-related upload fields. A remote attacker may exploit this
vulnerability by sending a malformed multipart request, causing the affected
CGI process to crash and resulting in a denial of service.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference flaw exists in the IEEE8021x_upload.cgi script on GeoVision GV‑LPC2011 and GV‑LPC2211 devices. An unauthenticated attacker can craft a malicious multipart HTTP request that targets certificate‑related upload fields; when parsed the CGI crashes, causing the task to terminate and the device’s authentication service to become unavailable. The vulnerability is a classic example of CWE‑476 and results in a denial of service without immediate data disclosure or privilege escalation.

Affected Systems

The flaw affects GeoVision Inc.’s GV‑LPC2011 and GV‑LPC2211 cameras running firmware version 1.12 and earlier, as indicated by the CPE identifiers and vendor advisory. Firmware 1.13 is listed in the CPE data set, suggesting it may also be impacted.

Risk and Exploitability

The CVSS score of 7.5 classifies this as a high‑severity denial‑of‑service risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires only a malformed HTTPS request to the CGI endpoint and no authentication, the barrier to exploitation is low. An attacker could quickly disrupt services on exposed devices, potentially affecting network availability.

Generated by OpenCVE AI on June 26, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑issued firmware update that addresses CVE-2026-57873 if available.
  • Firewall or ACL rules should restrict access to the IEEE8021x_upload.cgi endpoint to trusted IP ranges to limit exposure.
  • If an update is not yet available, consider disabling or blocking the upload functionality in the web server configuration to prevent admission of malicious multipart data.

Generated by OpenCVE AI on June 26, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description An unauthenticated NULL pointer dereference vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of multipart upload headers when processing certificate-related upload fields. A remote attacker may exploit this vulnerability by sending a malformed multipart request, causing the affected CGI process to crash and resulting in a denial of service.
Title GV-LPC2011/LPC2211 - unauthorized null pointer dereference vulnerability (IEEE8021x_upload.cgi)
First Time appeared Geovision Inc.
Geovision Inc. gv-lpclpc2011 2211
Weaknesses CWE-476
CPEs cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpclpc2011 2211
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Geovision Inc. Gv-lpclpc2011 2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-26T15:29:14.906Z

Reserved: 2026-06-26T02:40:42.397Z

Link: CVE-2026-57873

cve-icon Vulnrichment

Updated: 2026-06-26T15:29:10.498Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T08:30:04Z

Weaknesses