Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
8DescriptionGitHub Advisory
ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.
AnalysisAI
Heap buffer overflow in ZLMediaKit's VP9 RTP payload parser allows remote unauthenticated attackers to trigger denial of service by sending a single malformed RTP packet. The vulnerability stems from insufficient buffer length validation in ext-codec/VP9Rtp.cpp, where flag bits in a 1-byte payload (0xFF) cause out-of-bounds reads. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a low-probability but remotely exploitable attack surface against any ZLMediaKit server processing VP9 streams. Fixed in commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Technical ContextAI
ZLMediaKit is a cross-platform streaming media server framework supporting RTSP/RTMP/HLS/WebRTC protocols. This vulnerability affects the VP9 codec implementation (ext-codec/VP9Rtp.cpp), which parses RTP payloads containing VP9 video frames. VP9 RTP payloads use the first byte as a descriptor with flag bits indicating presence of optional fields (PictureID, temporal layer index, spatial layer index, etc.). The parser (CWE-125: Out-of-bounds Read) reads these optional fields sequentially based on set flags without first validating that the buffer contains sufficient data beyond the descriptor byte. When an attacker sends a minimal RTP packet (1-byte payload = 0xFF, all 8 flags enabled), the parser attempts to read multiple non-existent fields, triggering a heap-buffer-overflow as it accesses memory beyond the allocated buffer boundary. This is a classic insufficient input validation vulnerability in network protocol parsing code.
RemediationAI
Update ZLMediaKit to a version incorporating commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d or later (https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d). The fix adds proper bounds checking in the VP9 RTP parser before reading optional payload fields. If immediate patching is not feasible, disable VP9 codec support in ZLMediaKit configuration to eliminate the attack surface - this prevents VP9 stream processing but maintains functionality for other codecs (H.264, H.265, etc.). Alternatively, implement network-level filtering to block VP9 RTP traffic (RTP payload type 98-127 range, inspect SDP for VP9 codec negotiation) from untrusted sources, though this adds operational complexity and may break legitimate VP9 streaming use cases. For public-facing streaming servers, restricting VP9 ingestion to authenticated/trusted publishers provides defense-in-depth while maintaining VP9 playback capability.
More in Zlmediakit
View allZLMediaKit 4.0 is vulnerable to Directory Traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely expl
An attacker can send malicious RTMP requests to make the ZLMediaKit server crash remotely. Rated high severity (CVSS 7.5
Cross Site Scripting vulnerability in ZLMediaKiet v.4.0 and v.5.0 allows an attacker to execute arbitrary code via a cra
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19475