Skip to main content

tsMuxer CVE-2026-7739

| EUVDEUVD-2026-26922 LOW
Improper Resource Shutdown or Release (CWE-404)
2026-05-04 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
PoC Detected
May 04, 2026 - 15:17 vuln.today
Public exploit code
Analysis Generated
May 04, 2026 - 07:31 vuln.today
CVSS changed
May 04, 2026 - 07:22 NVD
3.3 (LOW) 1.9 (LOW)
EUVD ID Assigned
May 04, 2026 - 07:00 euvd
EUVD-2026-26922
Analysis Generated
May 04, 2026 - 07:00 vuln.today
CVE Published
May 04, 2026 - 06:15 nvd
LOW 1.9

DescriptionCVE.org

A weakness has been identified in justdan96 tsMuxer up to 2.7.0. This vulnerability affects the function HevcVpsUnit::setFPS of the file /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp. This manipulation of the argument track_id causes denial of service. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Denial of service in tsMuxer up to version 2.7.0 via improper input validation in the HevcVpsUnit::setFPS function allows local authenticated attackers to crash the application by manipulating the track_id argument. The vulnerability affects only unsupported product versions and carries a very low CVSS score (1.9), though publicly available exploit code exists.

Technical ContextAI

tsMuxer is a video multiplexing utility that processes HEVC (H.265) video streams. The vulnerability resides in the HevcVpsUnit::setFPS function within hevc.cpp, which handles frame rate configuration for HEVC video parameter sets. The flaw is categorized under CWE-404 (Improper Resource Validation), indicating that the function fails to properly validate the track_id parameter before using it in a way that triggers a denial of service condition. The attack vector is local (AV:L), requiring an authenticated user with low privileges (PR:L) to supply crafted input that causes the application to malfunction or crash.

RemediationAI

The most effective remediation is to upgrade tsMuxer to a version newer than 2.7.0 if available from the justdan96 GitHub repository (https://github.com/justdan96/tsMuxer/). Since the vulnerability description indicates affected versions are no longer supported by the maintainer, users should verify whether newer unsupported-maintenance releases or community forks provide fixes. As a compensating control, restrict local access to tsMuxer by limiting user accounts with execution privileges on systems running the application, though this may impact legitimate workflow automation. Additionally, monitor tsMuxer process execution logs for unexpected crashes or error conditions that might indicate exploitation attempts. Given the low CVSS score and local-only attack vector, organizations not running tsMuxer as a service or in shared-access environments face negligible practical risk.

CVE-2021-35346 CRITICAL POC
9.8 Dec 03

tsMuxer v2.6.16 was discovered to contain a heap-based buffer overflow via the function HevcSpsUnit::short_term_ref_pic_

CVE-2021-35344 CRITICAL POC
9.8 Dec 03

tsMuxer v2.6.16 was discovered to contain a heap-based buffer overflow via the function BitStreamReader::getCurVal in bi

CVE-2024-49778 HIGH POC
8.8 Nov 14

A heap-based buffer overflow in tsMuxer version nightly-2024-05-12-02-01-18 allows attackers to cause Denial of Service

CVE-2024-49777 HIGH POC
8.8 Nov 14

A heap-based buffer overflow in tsMuxer version nightly-2024-03-14-01-51-12 allows attackers to cause Denial of Service

CVE-2024-41209 HIGH POC
8.8 Nov 14

A heap-based buffer overflow in tsMuxer version nightly-2024-03-14-01-51-12 allows attackers to cause Denial of Service

CVE-2024-49776 MEDIUM POC
6.5 Nov 14

A negative-size-param in tsMuxer version nightly-2024-04-05-01-53-02 allows attackers to cause Denial of Service (DoS) v

CVE-2024-41217 MEDIUM POC
6.5 Nov 14

A heap-based buffer overflow in tsMuxer version nightly-2024-05-10-02-00-45 allows attackers to cause Denial of Service

CVE-2024-41206 MEDIUM POC
6.5 Nov 14

A stack-based buffer over-read in tsMuxer version nightly-2024-03-14-01-51-12 allows attackers to cause Information Disc

CVE-2024-52613 MEDIUM POC
5.5 Nov 14

A heap-based buffer under-read in tsMuxer version nightly-2024-05-12-02-01-18 allows attackers to cause Denial of Servic

CVE-2023-45511 MEDIUM POC
5.5 Oct 12

A memory leak in tsMuxer version git-2539d07 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

CVE-2022-43152 MEDIUM POC
5.5 Oct 31

tsMuxer v2.6.16 was discovered to contain a heap overflow via the function BitStreamWriter::flushBits() at /tsMuxer/bitS

CVE-2021-34071 MEDIUM POC
5.5 Jun 23

Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the applicat

Share

CVE-2026-7739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy