CVE-2026-57875 - Vulnerability Details

- GV-LPC2011/LPC2211 - unauthorized null pointer dereference vulnerability in packet parsing

Description

An unauthenticated
NULL pointer dereference vulnerability exists in the HTTP request parsing logic
of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and
earlier. The vulnerability is caused by improper validation of required HTTP
request metadata before it is used by the affected components. A remote attacker
may exploit this vulnerability by sending a specially crafted HTTP request,
causing the affected process to crash and resulting in a denial of service.

Published: 2026-06-26

Score: 7.5 High

EPSS: 1.3% Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in GeoVision GV-LPC2011 and GV-LPC2211 version 1.12 and earlier that allows an unauthenticated attacker to trigger a null pointer dereference during HTTP request parsing. The flaw occurs because required HTTP request metadata is not validated before being used by the CGI components. Exploitation results in the affected process crashing, which leads to a denial of service and potential service interruption. This weakness is identified as CWE‑476, which describes improper validation of a null pointer reference.

Affected Systems

The affected systems are the GeoVision Inc. GV-LPC2011 and GV-LPC2211 CCTV and monitoring devices running firmware version 1.12 or earlier. The product is distributed under the brand GeoVision. It is unknown whether versions beyond 1.12 contain a fix; specific remediation details are not listed in the advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score is 1% and the vulnerability is not listed in the current CISA KEV catalog. The attack vector is remote, requiring only that the attacker sends a specially crafted HTTP request to the CGI component. The lack of authentication preconditions and the possibility of causing an immediate crash make this a straightforward denial of service attack once reachable.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GeoVision Inc.

GV-LPCLPC2011/2211

unaffected

Version	Status	Constraints
`1.12`	affected	—
`1.13`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest firmware version available to eliminate the null pointer dereference in HTTP packet parsing.
Implement network segmentation or firewall rules to restrict HTTP access to the GV-LPC2011/LPC2211 interface only to trusted hosts, reducing the attack surface.
Apply additional input validation or request filtering at the network boundary to reject malformed HTTP metadata before it reaches the vulnerable CGI components.

Generated by OpenCVE AI on June 26, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01266.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.geovision.com.tw/cyber_security.php

History

Fri, 26 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated NULL pointer dereference vulnerability exists in the HTTP request parsing logic of multiple CGI components in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper validation of required HTTP request metadata before it is used by the affected components. A remote attacker may exploit this vulnerability by sending a specially crafted HTTP request, causing the affected process to crash and resulting in a denial of service.
Title		GV-LPC2011/LPC2211 - unauthorized null pointer dereference vulnerability in packet parsing
First Time appeared		Geovision Inc. Geovision Inc. gv-lpclpc2011 2211
Weaknesses		CWE-476
CPEs		cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12::linux::::: cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13::linux:::::
Vendors & Products		Geovision Inc. Geovision Inc. gv-lpclpc2011 2211
References		https://www.geovision.com.tw/cyber_security.php
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Geovision Inc. Gv-lpclpc2011 2211

MITRE

Status: PUBLISHED

Assigner: GV

Published: 2026-06-26T07:17:14.543Z

Updated: 2026-06-26T15:36:33.907Z

Reserved: 2026-06-26T02:40:42.397Z

Link: CVE-2026-57875

Vulnrichment

Updated: 2026-06-26T15:36:30.283Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T14:30:17Z

Weaknesses

CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object