Stack-based Buffer Overflow in VIVOTEK FD8136 Firmware
CVE-2026-35716

6.3MEDIUM

Key Information:

Vendor

VIVOTEK

Vendor
CVE Published:
2 June 2026

What is CVE-2026-35716?

The VIVOTEK FD8136 firmware contains a stack-based buffer overflow vulnerability in the motion_privacy.cgi binary. This issue allows authenticated remote attackers to send specially crafted POST requests, exploiting the oversized n1 parameter. By doing so, they can execute arbitrary code with root privileges. The vulnerability arises because the parameter value is copied into a fixed-size 0xa4-byte stack buffer without proper bounds checking. As a result, it overwrites the saved link register. Additionally, the binary is compiled without stack canaries, further increasing the risk of exploitation.

References

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.