CVE-2026-35203
Heap Buffer Overflow in ZLMediaKit VP9 RTP Payload Parser
Publication date: 2026-04-06
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zlmediakit | zlmediakit | to 2026-03-29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-35203 is a heap buffer out-of-bounds read vulnerability in the VP9 RTP payload parser of ZLMediaKit that can lead to remote denial of service or information disclosure by leaking heap memory contents.
While the vulnerability itself does not directly mention compliance with standards such as GDPR or HIPAA, the potential for information disclosure could impact compliance by exposing sensitive data handled by the affected system.
Organizations using vulnerable versions of ZLMediaKit may face risks related to data confidentiality and availability, which are critical aspects of many regulatory frameworks.
Therefore, failure to patch this vulnerability could lead to non-compliance with regulations that require protection of personal or sensitive data and system availability.
Can you explain this vulnerability to me?
CVE-2026-35203 is a vulnerability in the VP9 RTP payload parser of the ZLMediaKit streaming media framework. The parser reads multiple fields from the RTP payload based on flag bits in the first byte without verifying that enough data exists in the buffer. This lack of bounds checking allows a crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) to cause the parser to read beyond the allocated buffer, resulting in a heap-buffer-overflow.
This vulnerability arises because the parser attempts to read additional bytes for fields like PictureID, Layer Indices, and scalability structure without confirming that these bytes are present, leading to out-of-bounds memory access.
The issue was fixed by adding comprehensive payload bounds validation in the parsing function, which checks before every read operation that the data pointer does not exceed the payload buffer limits, preventing out-of-bounds reads and aborting decoding if malformed packets are detected.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely by sending maliciously crafted VP9 RTP packets to a ZLMediaKit server, potentially causing the following impacts:
- Denial of Service (DoS) through server crashes caused by heap-buffer-overflow and segmentation faults.
- Information disclosure by leaking heap memory contents, which may be incorporated into VP9 frames forwarded to clients.
- Corruption of the parser state leading to undefined behavior or errors in downstream processing.
The attack requires no privileges or user interaction and can be performed over the network, making it a high-severity risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal behavior in the ZLMediaKit streaming media service when it processes VP9 RTP packets.
A proof-of-concept involves sending crafted VP9 RTP packets with a 1-byte payload of 0xFF (all flags set) to the ZLMediaKit RTP/RTSP endpoint, which triggers the heap-buffer-overflow.
Detection can be aided by using tools like AddressSanitizer (ASan) to identify heap-buffer-overflow errors during packet processing.
While no explicit commands are provided, a possible approach is to use packet crafting tools (e.g., Scapy in Python) to send VP9 RTP packets with a 1-byte payload of 0xFF to the target service and observe for crashes or logs indicating parse failures.
- Use network packet capture tools (e.g., tcpdump or Wireshark) to monitor RTP traffic for suspicious VP9 packets with unusually small payloads (1 byte) and all flag bits set.
- Check ZLMediaKit logs for warnings or errors related to VP9 RTP payload parsing failures, as the patched version logs warnings when parsing fails.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update ZLMediaKit to a version that includes the fix introduced by commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.
This fix adds comprehensive bounds checking in the VP9 RTP payload parser to prevent out-of-bounds memory access.
Until the update can be applied, consider implementing network-level protections such as filtering or blocking suspicious RTP packets with malformed VP9 payloads (e.g., packets with 1-byte payloads and all flags set).
Monitoring logs for parse failures and crashes can help detect exploitation attempts and allow for timely response.