GeoVision GeoWebPlayer Websocket Server out-of-bounds read vulnerability
Summary
| CVE | CVE-2026-57268 |
|---|---|
| State | PUBLISHED |
| Assigner | GV |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-02 04:17:12 UTC |
| Updated | 2026-07-02 16:51:29 UTC |
| Description | GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly. The Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound. ### saveVideo command index-out-of-bound When sending the `saveVideo` command, the `index` field is extracted from the websocket message [1]. Then without checking the range of the index, it is used to trigger a CriticalSection ([2]) and releases it [3]. The release function call ([3]) is executed using a function pointer which will be read out of bounds potentially leading to code execution: v6 = get_entry(a2, "index"); result = json_is_value_int(v6); if ( (_BYTE)result ) { v8 = get_entry(a2, "index"); index = json_value_to_int(&v8->value); // [1] result = CCriticalSection::EnterCritSection(&this->crit_sections[index]); //[2] if ( result ) { if ( this->array_of_IPCams[index] ) { if ( this->array_of_IPCams[index]->field_20 ) do_PostMessageA((CViewer *)this->array_of_IPCams[index], 0x111u, 0x139Fu, v11); } return (*(int (__thiscall **)(CCriticalSection *))(this->crit_sections[index].vtbl + 20))(&this->crit_sections[index]); //[3] } } |
Risk And Classification
Primary CVSS: v3.1 8.3 HIGH from 0df08a0e-a200-4957-9bb0-084f562506f9
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS: 0.002860000 probability, percentile 0.203980000 (date 2026-07-03)
Problem Types: CWE-129 | CWE-129 CWE-129 Improper validation of array index
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 0df08a0e-a200-4957-9bb0-084f562506f9 | Secondary | 8.3 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.3 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
RequiredScope
ChangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | GeoVision Inc. | GeoWebPlayer | affected V1.1.1.0 | Windows, 64 bit |
| CNA | GeoVision Inc. | GeoWebPlayer | unaffected V1.1.3.0 | Windows, 64 bit |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.geovision.com.tw/cyber_security.php | 0df08a0e-a200-4957-9bb0-084f562506f9 | www.geovision.com.tw | |
| talosintelligence.com/vulnerability_reports/TALOS-2026-2373 | 0df08a0e-a200-4957-9bb0-084f562506f9 | talosintelligence.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Philippe Laulheret of Cisco Talos (en)
CNA: Kelly Patterson of Cisco Talos (en)
CNA: Robert Sherwin of Cisco Talos (en)
Additional Advisory Data
Solutions
CNA: The vulnerability has been patched with GeoWebPlayer V1.1.3.0
There are currently no legacy QID mappings associated with this CVE.