CVE-2026-42369

Name of the Vulnerable Software and Affected Versions GV-VMS version V20

Description A stack overflow exists in the WebCam Server component of the video monitoring software. When remote access is enabled, the gvapi endpoint utilizes a specific authentication mechanism via an HTTP Authorization header, supporting both Basic and Digest modes. The issue occurs because a base64 decoded string, stored in the b64decoder variable, is copied into the Buffer stack variable without a bound-check. If the decoded string exceeds 256 characters, a stack overflow is triggered. Since the web server is compiled without ASLR (Address Space Layout Randomization), a security technique that randomly arranges the address space positions of key data areas to prevent memory corruption attacks, an attacker can gain full code execution with SYSTEM privileges on the host machine.

Recommendations Update GV-VMS version V20 to a patched version. Disable the remote access WebCam Server feature to prevent exploitation.