Skip to main content

Zlmediakit EUVDEUVD-2026-19475

| CVE-2026-35203 HIGH
Out-of-bounds Read (CWE-125)
2026-04-06 security-advisories@github.com
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

8
Analysis Updated
Apr 16, 2026 - 06:05 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d
Analysis Updated
Apr 16, 2026 - 04:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 04:33 vuln.today
cvss_changed
EUVD ID Assigned
Apr 06, 2026 - 20:22 euvd
EUVD-2026-19475
Analysis Generated
Apr 06, 2026 - 20:22 vuln.today
CVE Published
Apr 06, 2026 - 20:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

AnalysisAI

Heap buffer overflow in ZLMediaKit's VP9 RTP payload parser allows remote unauthenticated attackers to trigger denial of service by sending a single malformed RTP packet. The vulnerability stems from insufficient buffer length validation in ext-codec/VP9Rtp.cpp, where flag bits in a 1-byte payload (0xFF) cause out-of-bounds reads. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a low-probability but remotely exploitable attack surface against any ZLMediaKit server processing VP9 streams. Fixed in commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d. No active exploitation (CISA KEV) or public POC identified at time of analysis.

Technical ContextAI

ZLMediaKit is a cross-platform streaming media server framework supporting RTSP/RTMP/HLS/WebRTC protocols. This vulnerability affects the VP9 codec implementation (ext-codec/VP9Rtp.cpp), which parses RTP payloads containing VP9 video frames. VP9 RTP payloads use the first byte as a descriptor with flag bits indicating presence of optional fields (PictureID, temporal layer index, spatial layer index, etc.). The parser (CWE-125: Out-of-bounds Read) reads these optional fields sequentially based on set flags without first validating that the buffer contains sufficient data beyond the descriptor byte. When an attacker sends a minimal RTP packet (1-byte payload = 0xFF, all 8 flags enabled), the parser attempts to read multiple non-existent fields, triggering a heap-buffer-overflow as it accesses memory beyond the allocated buffer boundary. This is a classic insufficient input validation vulnerability in network protocol parsing code.

RemediationAI

Update ZLMediaKit to a version incorporating commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d or later (https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d). The fix adds proper bounds checking in the VP9 RTP parser before reading optional payload fields. If immediate patching is not feasible, disable VP9 codec support in ZLMediaKit configuration to eliminate the attack surface - this prevents VP9 stream processing but maintains functionality for other codecs (H.264, H.265, etc.). Alternatively, implement network-level filtering to block VP9 RTP traffic (RTP payload type 98-127 range, inspect SDP for VP9 codec negotiation) from untrusted sources, though this adds operational complexity and may break legitimate VP9 streaming use cases. For public-facing streaming servers, restricting VP9 ingestion to authenticated/trusted publishers provides defense-in-depth while maintaining VP9 playback capability.

Share

EUVD-2026-19475 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy