Stack-based Buffer Overflow in VIVOTEK FD8136 Firmware
CVE-2026-35717

6.3MEDIUM

Key Information:

Vendor

VIVOTEK

Vendor
CVE Published:
2 June 2026

What is CVE-2026-35717?

The VIVOTEK FD8136 firmware contains a stack-based buffer overflow vulnerability within the export_language.cgi binary. Authenticated remote attackers can exploit this flaw by sending a specially crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. This vulnerability stems from the improper handling of the Content-Length value, which is directly passed to the fread() function as a size parameter, leading to potential overwriting of the stack's saved link register. Notably, the absence of stack canaries in the binary further exacerbates the risk, allowing attackers to execute arbitrary code with root privileges.

References

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.