Description
An unauthenticated
format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and
GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling
of externally controlled input during log message formatting in the login
processing path. A remote attacker may exploit this vulnerability by sending
crafted login data, potentially causing information disclosure, memory
corruption, or a denial of service.
Published: 2026-06-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated format string flaw exists in the vlsvr login handler of PC2011 and GV‑LPC2211 firmware. The flaw is caused by improper handling of externally controlled input during log message formatting. A remote attacker can send crafted login data, potentially leading to information disclosure, memory corruption, or a denial of service. The weakness maps to CWE‑134 and allows an attacker to read arbitrary memory or crash the process.

Affected Systems

The vulnerability targets GeoVision Inc. GV‑LPC2011 and GV‑LPC2211 devices running firmware 1.12 and earlier on Linux. Firmware versions 1.13 and newer are assumed to incorporate the fix.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. The lack of a KEV listing suggests no known exploitation. The attack is likely carried out remotely through the login interface, requiring no authentication. If exploited, the attacker could gain sensitive system information or destabilize the device.

Generated by OpenCVE AI on June 26, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to version 1.13 or later, which addresses the format string handling bug.
  • Restrict network access to the login service using firewalls or ACLs to limit exposure to trusted hosts.
  • Configure the logging subsystem to disable or sanitize format string usage, ensuring that user input is not treated as a format string.

Generated by OpenCVE AI on June 26, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description An unauthenticated format string vulnerability exists in vlsvr in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by improper handling of externally controlled input during log message formatting in the login processing path. A remote attacker may exploit this vulnerability by sending crafted login data, potentially causing information disclosure, memory corruption, or a denial of service.
Title GV-LPC2011/LPC2211 - unauthorized format string vulnerability (vlsvr)
First Time appeared Geovision Inc.
Geovision Inc. gv-lpclpc2011 2211
Weaknesses CWE-134
CPEs cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12:*:linux:*:*:*:*:*
cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13:*:linux:*:*:*:*:*
Vendors & Products Geovision Inc.
Geovision Inc. gv-lpclpc2011 2211
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

Subscriptions

Geovision Inc. Gv-lpclpc2011 2211
cve-icon MITRE

Status: PUBLISHED

Assigner: GV

Published:

Updated: 2026-06-26T15:42:18.428Z

Reserved: 2026-06-26T02:40:42.397Z

Link: CVE-2026-57877

cve-icon Vulnrichment

Updated: 2026-06-26T15:42:14.009Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:13Z

Weaknesses
  • CWE-134

    Use of Externally-Controlled Format String