CVE-2026-20766
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Milesight | MS-Cxx63-PD | 0 <= 51.7.0.77-r12 | affected |
| Milesight | MS-Cxx64-xPD | 0 <= 51.7.0.77-r12 | affected |
| Milesight | MS-Cxx73-xPD | 0 <= 51.7.0.77-r12 | affected |
| Milesight | MS-Cxx75-xxPD | 0 <= 51.7.0.77-r12 | affected |
| Milesight | MS-Cxx83-xPD | 0 <= 51.7.0.77-r12 | affected |
| Milesight | MS-Cxx74-PA | 0 <= 3x.8.0.3-r11 | affected |
| Milesight | MS-C8477-HPG1 | 0 <= 63.8.0.4-r3 | affected |
| Milesight | MS-C8477-PC | 0 <= 48.8.0.4-r3 | affected |
| Milesight | MS-C5321-FPE | 0 <= 62.8.0.4-r5 | affected |
| Milesight | MS-Cxx72-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx62-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx52-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx66-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx66-xxxGPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx61-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx67-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx71-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx41-xxxPE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx76-PE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx65-PE | 0 <= 61.8.0.5-r2 | affected |
| Milesight | MS-Cxx66-xxxG1 | 0 <= 63.8.0.5-r3 | affected |
| Milesight | MS-Cxx62-xxxG1 | 0 <= 63.8.0.5-r3 | affected |
| Milesight | MS-Cxx72-xxxG1 | 0 <= 63.8.0.5-r3 | affected |
| Milesight | MS-CQxx31-xxxG1 | 0 <= CQ_63.8.0.5-r1 | affected |
| Milesight | MS-CQxx68-xxxG1 | 0 <= CQ_63.8.0.5-r1 | affected |
| Milesight | MS-CQxx72-xxxG1 | 0 <= CQ_63.8.0.5-r1 | affected |
| Milesight | MS-Nxxxx-NxE | 0 <= 7x.9.0.19-r5 | affected |
| Milesight | MS-Nxxxx-xxC | 0 <= 7x.9.0.19-r5 | affected |
| Milesight | MS-Nxxxx-xxE | 0 <= 7x.9.0.19-r5 | affected |
| Milesight | MS-Nxxxx-xxG | 0 <= 7x.9.0.19-r5 | affected |
| Milesight | MS-Nxxxx-xxH | 0 <= 7x.9.0.19-r5 | affected |
| Milesight | MS-Nxxxx-xxT | 0 <= 7x.9.0.19-r5 | affected |
| Milesight | PMC8266-FPE | 0 <= PO_61.8.0.4_LPR | affected |
| Milesight | PMC8266-FGPE | 0 <= PO_61.8.0.4_LPR | affected |
| Milesight | PM3322-E | 0 <= PI_61.8.0.3_LPR-r3 | affected |
| Milesight | TS4466-X4RIPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS5366-X12RIPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-X4RIPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS4466-X4RIVPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS4466-RFIVPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-X4RIVPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-RFIVPG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS4466-X4RIWG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-X4RIWG1 | 0 <= T_63.8.0.4_LPR-r3 | affected |
| Milesight | TS5510-GVH | 0 <= T_47.8.0.4_LPR-r7 | affected |
| Milesight | TS5510-GH | 0 <= T_47.8.0.4_LPR-r6 | affected |
| Milesight | TS5511-GVH | 0 <= T_47.8.0.4_LPR-r6 | affected |
| Milesight | TS2966-X12TPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS4466-X4RPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS5366-X12PE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-X4PE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS2966-X12TVPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS4466-X4RVPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS5366-X12VPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-X4VPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS4441-X36RPE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS4441-X36RE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS4466-X4RWE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | TS8266-X4WE | 0 <= T_61.8.0.4_LPR-r3 | affected |
| Milesight | MS-C2964-RFLPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C2972-RFLPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C2966-RFLWPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2866-X4TPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2866-X4TVPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2866-X4TGPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2841-X36TPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2841-X36TPC/W | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2867-X5TPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS2961-X12TPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | TS8266-FPC/P | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C2966-X12RLPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C2966-X12RLVPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C5366-X12LPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C5366-X12LVPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-C5361-X12LPC | 0 <= T_45.8.0.3-r9 | affected |
| Milesight | MS-Cxx66-xxxxGOPC | 0 <= 45.8.0.2-AIoT-r4 | affected |
| Milesight | SC211 | 0 <= C_21.1.0.8-r4 | affected |
| Milesight | SP111 | 0 <= 52.8.0.4-r5 | affected |
| Milesight | MS-Cxx66-RFIPKG1 | 0 <= 63.8.0.4-r1-NX | affected |
| Milesight | MS-Cxx72-RFIPKG1 | 0 <= 63.8.0.4-r1-NX | affected |
| Milesight | MS-Cxx66-FIPKG1 | 0 <= 63.8.0.4-r1-NX | affected |
| Milesight | MS-Cxx72-FIPKG1 | 0 <= 63.8.0.4-r1-NX | affected |
Weaknesses
- CWE-122: CWE-122
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json
- https://www.milesight.com/support/download/firmware
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.