Description
An unauthenticated
out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011
and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient
bounds checking when processing HTTP request body data. A remote attacker may
exploit this vulnerability by sending a crafted request with excessive input,
causing memory corruption and resulting in a denial of service.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. Insufficient bounds checking when processing HTTP request body data allows a remote attacker to send a crafted request with excessive input, causing memory corruption and resulting in a denial of service.

Affected Systems

GeoVision Inc. produces the GV-LPC2011/LPC2211 series of Linux-based cameras. Versions 1.12 and all earlier releases are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact vulnerability. EPSS data is not available and the issue is not listed in CISA KEV, suggesting a moderate exploit probability. The likely attack vector is remote over HTTP, as the flaw is triggered by malformed request bodies sent to onvif.cgi. If successfully exploited, an attacker can crash the device and disrupt surveillance operations.

Generated by OpenCVE AI on June 26, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to a version newer than 1.12, which removes the vulnerable onvif.cgi implementation.
  • Disable or restrict the onvif.cgi HTTP interface when it is not needed, limiting exposure to external networks.
  • Implement network segmentation and firewall rules to isolate the cameras from untrusted traffic and log any anomalous requests for further analysis.

Generated by OpenCVE AI on June 26, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description An unauthenticated out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when processing HTTP request body data. A remote attacker may exploit this vulnerability by sending a crafted request with excessive input, causing memory corruption and resulting in a denial of service.
Title GV-LPC2011/LPC2211 - unauthorized out-of-bounds writing vulnerability (onvif.cgi)
First Time appeared Geovision Inc.
Geovision Inc. gv-lpclpc2011 2211
Weaknesses CWE-787
CPEs cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpclpc2011 2211
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Geovision Inc. Gv-lpclpc2011 2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-26T15:40:10.368Z

Reserved: 2026-06-26T02:40:42.397Z

Link: CVE-2026-57876

cve-icon Vulnrichment

Updated: 2026-06-26T15:40:04.513Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T08:30:04Z

Weaknesses