CVE-2026-35716

Vulnerability

A stack-based buffer overflow vulnerability exists in the motion_privacy.cgi binary within VIVOTEK FD8136 firmware version FD8136-VVTK-0300a. This vulnerability is triggered when processing an oversized n1 parameter in POST requests to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoints, which are all symlinks to the same binary. The binary copies the n1 parameter value into a fixed-size 0xa4-byte stack buffer without bounds checking, and it is compiled without stack canaries [2].

Exploitation

An authenticated remote attacker can exploit this vulnerability by sending a POST request with an oversized n1 parameter to one of the affected CGI endpoints. The oversized parameter value overwrites the saved link register on the stack, allowing the attacker to redirect control flow. The binary lacks memory protections like stack canaries, which simplifies exploitation [2].

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary code with root privileges on the affected VIVOTEK FD8136 device. This grants the attacker complete control over the device [2].

Mitigation

As of the available references, a patched firmware version has not been disclosed. It is recommended to consult VIVOTEK for any available security updates or advisories. No workarounds are currently specified [1, 2].