CVE-2026-57874 - Vulnerability Details

- GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (IEEE8021x_upload.cgi)

Description

An unauthenticated
buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient bounds checking when parsing filename values in multipart upload
data. A remote attacker may exploit this vulnerability by sending a crafted
upload request with overly long input, causing memory corruption and resulting
in a denial of service.

Published: 2026-06-26

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated buffer overflow exists in the IEEE8021x_upload.cgi component of GeoVision’s GV-LPC2011 and GV-LPC2211 cameras. The flaw arises from insufficient bounds checking of filename values in multipart upload data, allowing an attacker to send a crafted upload request with an overly long filename. This overflow corrupts memory and can crash the device, resulting in a denial of service. The associated CVSS score of 7.5 indicates a high severity of the vulnerability.

Affected Systems

The affected products are GeoVision’s GV-LPC2011 and GV-LPC2211 devices running on Linux. Vulnerable firmware releases include version 1.12 and earlier, as specified in the vulnerability description. The Common Platform Enumeration strings also reference release 1.13, but the description specifically notes 1.12 and earlier are impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, with no EPSS data available, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be a network‑based, unauthenticated request to the device’s HTTP interface, specifically targeting the IEEE8021x_upload.cgi endpoint. An attacker simply needs the ability to upload a file through this CGI; no authentication is required, and by supplying a filename that exceeds expected bounds, the attacker can trigger a memory corruption that typically results in a device reboot or crash, thereby denying service to legitimate users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GeoVision Inc.

GV-LPCLPC2011/2211

unaffected

Version	Status	Constraints
`1.12`	affected	—
`1.13`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the GeoVision cameras to a firmware release that patches the buffer overflow; if a newer version is not yet available, apply any vendor‑supplied patch that corrects the bounds checking in IEEE8021x_upload.cgi.
Restrict external access to the IEEE8021x_upload.cgi endpoint by firewalling or network segmentation, ensuring that only trusted internal hosts can send upload requests.
Implement strict file size and name validation on the device or at the network perimeter to reject oversized or malformed upload data before it reaches the CGI handler.

Generated by OpenCVE AI on June 26, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00318.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.geovision.com.tw/cyber_security.php

History

Fri, 26 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated buffer overflow vulnerability exists in IEEE8021x_upload.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when parsing filename values in multipart upload data. A remote attacker may exploit this vulnerability by sending a crafted upload request with overly long input, causing memory corruption and resulting in a denial of service.
Title		GV-LPC2011/LPC2211 - unauthorized buffer overflow vulnerability (IEEE8021x_upload.cgi)
First Time appeared		Geovision Inc. Geovision Inc. gv-lpclpc2011 2211
Weaknesses		CWE-120
CPEs		cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12::linux::::: cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13::linux:::::
Vendors & Products		Geovision Inc. Geovision Inc. gv-lpclpc2011 2211
References		https://www.geovision.com.tw/cyber_security.php
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Geovision Inc. Gv-lpclpc2011 2211

MITRE

Status: PUBLISHED

Assigner: GV

Published: 2026-06-26T07:17:09.803Z

Updated: 2026-06-26T15:30:08.355Z

Reserved: 2026-06-26T02:40:42.397Z

Link: CVE-2026-57874

Vulnrichment

Updated: 2026-06-26T15:30:00.364Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T08:30:04Z

Weaknesses

CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object