CVE-2026-35203
Received Received - Intake
Heap Buffer Overflow in ZLMediaKit VP9 RTP Payload Parser

Publication date: 2026-04-06

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35203
EUVD
EUVD-2026-19475
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zlmediakit zlmediakit to 2026-03-29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-35203 is a heap buffer out-of-bounds read vulnerability in the VP9 RTP payload parser of ZLMediaKit that can lead to remote denial of service or information disclosure by leaking heap memory contents.

While the vulnerability itself does not directly mention compliance with standards such as GDPR or HIPAA, the potential for information disclosure could impact compliance by exposing sensitive data handled by the affected system.

Organizations using vulnerable versions of ZLMediaKit may face risks related to data confidentiality and availability, which are critical aspects of many regulatory frameworks.

Therefore, failure to patch this vulnerability could lead to non-compliance with regulations that require protection of personal or sensitive data and system availability.

Executive Summary

CVE-2026-35203 is a vulnerability in the VP9 RTP payload parser of the ZLMediaKit streaming media framework. The parser reads multiple fields from the RTP payload based on flag bits in the first byte without verifying that enough data exists in the buffer. This lack of bounds checking allows a crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) to cause the parser to read beyond the allocated buffer, resulting in a heap-buffer-overflow.

This vulnerability arises because the parser attempts to read additional bytes for fields like PictureID, Layer Indices, and scalability structure without confirming that these bytes are present, leading to out-of-bounds memory access.

The issue was fixed by adding comprehensive payload bounds validation in the parsing function, which checks before every read operation that the data pointer does not exceed the payload buffer limits, preventing out-of-bounds reads and aborting decoding if malformed packets are detected.

Impact Analysis

This vulnerability can be exploited remotely by sending maliciously crafted VP9 RTP packets to a ZLMediaKit server, potentially causing the following impacts:

  • Denial of Service (DoS) through server crashes caused by heap-buffer-overflow and segmentation faults.
  • Information disclosure by leaking heap memory contents, which may be incorporated into VP9 frames forwarded to clients.
  • Corruption of the parser state leading to undefined behavior or errors in downstream processing.

The attack requires no privileges or user interaction and can be performed over the network, making it a high-severity risk.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal behavior in the ZLMediaKit streaming media service when it processes VP9 RTP packets.

A proof-of-concept involves sending crafted VP9 RTP packets with a 1-byte payload of 0xFF (all flags set) to the ZLMediaKit RTP/RTSP endpoint, which triggers the heap-buffer-overflow.

Detection can be aided by using tools like AddressSanitizer (ASan) to identify heap-buffer-overflow errors during packet processing.

While no explicit commands are provided, a possible approach is to use packet crafting tools (e.g., Scapy in Python) to send VP9 RTP packets with a 1-byte payload of 0xFF to the target service and observe for crashes or logs indicating parse failures.

  • Use network packet capture tools (e.g., tcpdump or Wireshark) to monitor RTP traffic for suspicious VP9 packets with unusually small payloads (1 byte) and all flag bits set.
  • Check ZLMediaKit logs for warnings or errors related to VP9 RTP payload parsing failures, as the patched version logs warnings when parsing fails.
Mitigation Strategies

The immediate mitigation step is to update ZLMediaKit to a version that includes the fix introduced by commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

This fix adds comprehensive bounds checking in the VP9 RTP payload parser to prevent out-of-bounds memory access.

Until the update can be applied, consider implementing network-level protections such as filtering or blocking suspicious RTP packets with malformed VP9 payloads (e.g., packets with 1-byte payloads and all flags set).

Monitoring logs for parse failures and crashes can help detect exploitation attempts and allow for timely response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart