Stack-Based Buffer Overflow Vulnerability in the EZVIZ Motion Detection component
Description
Stack-based buffer overflow in EZVIZ motion detection allows remote code execution on multiple camera models.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in EZVIZ motion detection allows remote code execution on multiple camera models.
Vulnerability
A stack-based buffer overflow vulnerability exists in the motion detection component of several EZVIZ camera models. The issue is triggered when processing crafted network packets, leading to memory corruption. Affected models include CS-CV248 (firmware prior to 5.2.3 build 220725), CS-C6N-A0-1C2WFR (prior to 5.3.0 build 220428), CS-DB1C-A0-1E2W2FR (prior to 5.3.0 build 220802), CS-C6N-B0-1G2WF (prior to 5.3.0 build 220712), and CS-C3W-A0-3H4WFRL (prior to 5.3.5 build 220723) [1]. The vulnerability is present in the firmware and is reachable remotely over the network.
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication. By sending specially crafted network requests to the motion detection component, the attacker triggers a stack-based buffer overflow, which can overwrite memory and redirect execution flow. No user interaction is required [1].
Impact
Successful exploitation allows a remote attacker to achieve remote code execution (RCE) on the device with the privileges of the affected process. This can lead to full compromise of the camera, including access to video feeds, ability to execute arbitrary commands, and potential use as a pivot point within the local network [1].
Mitigation
EZVIZ has released firmware updates to address this vulnerability. Affected users should update to the following fixed versions: CS-CV248 to version 5.2.3 build 220725, CS-C6N-A0-1C2WFR to 5.3.0 build 220428, CS-DB1C-A0-1E2W2FR to 5.3.0 build 220802, CS-C6N-B0-1G2WF to 5.3.0 build 220712, and CS-C3W-A0-3H4WFRL to 5.3.5 build 220723 [1]. No workaround has been provided. The vulnerability is not known to be in the CISA KEV catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- EZVIZ/CS-C3W-A0-3H4WFRLv5Range: unspecified
- EZVIZ/CS-C6N-A0-1C2WFRv5Range: unspecified
- EZVIZ/CS-C6N-B0-1G2WFv5Range: unspecified
- EZVIZ/CS-CV248v5Range: unspecified
- EZVIZ/CS-DB1C-A0-1E2W2FRv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stack-based buffer overflow in the motion detection routine allows a remote attacker to overflow a fixed-size stack buffer and overwrite the return address."
Attack vector
A remote attacker sends a crafted network request to the camera's motion detection component, which triggers a stack-based buffer overflow [ref_id=1]. The overflow occurs when the motion detection routine copies attacker-controlled data into a fixed-size stack buffer without proper bounds checking. By carefully crafting the payload, the attacker overwrites the saved return address on the stack and gains control of the program counter, leading to arbitrary code execution on the device [ref_id=1]. No authentication is required because the vulnerable motion detection endpoint is exposed to the network.
Affected code
The vulnerability resides in the motion detection routine of the EZVIZ camera firmware. The advisory does not specify the exact function or file path, but identifies the vulnerable component as the "motion detection routine" [ref_id=1]. The affected firmware versions are V5.2.1 build 180403 through V5.3.5 build 220120 across five camera models: CS-CV248, CS-C6N-A0-1C2WFR, CS-DB1C-A0-1E2W2FR, CS-C6N-B0-1G2WF, and CS-C3W-A0-3H4WFRL [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the vendor confirmed a fix was in progress as of May 2022 and updates were rolling out by June 2022 [ref_id=1]. The remediation guidance is to update each affected camera model to the specified patched firmware versions: CS-CV248 to 5.2.3 build 220725, CS-C6N-A0-1C2WFR to 5.3.0 build 220428, CS-DB1C-A0-1E2W2FR to 5.3.0 build 220802, CS-C6N-B0-1G2WF to 5.3.0 build 220712, and CS-C3W-A0-3H4WFRL to 5.3.5 build 220723 [ref_id=1]. The fix likely introduces proper bounds checking on the input size before copying data into the stack buffer in the motion detection routine.
Preconditions
- networkAttacker must have network access to the camera's motion detection endpoint.
- inputAttacker must craft a payload that exceeds the fixed-size stack buffer in the motion detection routine.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.bitdefender.com/blog/labs/vulnerabilities-identified-in-ezviz-smart-camsmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.