CVE-2026-35717

Vulnerability

A stack-based buffer overflow vulnerability exists in the export_language.cgi binary of VIVOTEK FD8136 devices running firmware version FD8136-VVTK-0300a. The vulnerability is triggered when processing a POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler incorrectly uses an attacker-controlled Content-Length value to read data into a fixed-size 0x60-byte stack buffer, overwriting the saved link register. The binary is compiled without stack canaries [2].

Exploitation

An authenticated remote attacker can exploit this vulnerability by sending a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The attacker needs to provide a POST body longer than 0x60 bytes, which will overflow the stack buffer. The export_language.cgi binary reads the request content from stdin without bounds checking and uses a length derived from attacker-controlled input for a memcpy operation into the fixed-size buffer. This allows control flow to be redirected to shellcode staged in memory [2].

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to execute arbitrary commands as the root user on the affected VIVOTEK FD8136 device. This is due to the binary running as root and lacking memory protections like stack canaries, making exploitation straightforward and granting full control over the device [2].

Mitigation

As of the available references, a patched firmware version has not been publicly disclosed, and no workarounds are specified. Users are advised to consult VIVOTEK for potential updates or patches. The affected firmware version is FD8136-VVTK-0300a [1, 2].