Executive Summary

CVE-2026-41470 is an authorization bypass vulnerability in the LIVE555 RTSP server before version 2026.04.22. It allows attackers to replay valid RTSP session tokens from unauthenticated connections on a separate TCP connection.

Because the server improperly checks authorization for session commands like PLAY and TEARDOWN when they come from a different connection, an attacker can issue these commands without proper authentication.

This flaw leads to server crashes caused by virtual function call errors or disrupts active streams by terminating legitimate user sessions.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can be exploited by attackers to cause denial of service by crashing the RTSP server or disrupting active media streams.

• Attackers can replay valid session tokens to issue unauthorized PLAY or TEARDOWN commands.
• This can lead to server crashes due to virtual function call errors or segmentation faults.
• Active streaming sessions can be terminated unexpectedly, causing service disruption for legitimate users.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized replay of valid RTSP session tokens from unauthenticated connections. A minimal reproduction involves capturing a session token from an authenticated SETUP request and replaying it on a new unauthenticated connection with a PLAY command, which triggers a server crash on vulnerable versions.

To detect exploitation attempts, you can capture RTSP traffic and look for PLAY or TEARDOWN commands issued from different TCP connections using the same session token.

Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to filter RTSP traffic and inspect session tokens and command sequences.

• tcpdump -i <interface> -s 0 -w rtsp_traffic.pcap port 554
• Use Wireshark to open rtsp_traffic.pcap and filter with 'rtsp' to analyze session tokens and commands.
• Look for multiple TCP connections issuing PLAY or TEARDOWN commands with the same session token.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade LIVE555 to version 2026.04.22 or later, where the vulnerability is fixed by properly rejecting unauthenticated within-session commands with a 401 Unauthorized response and maintaining server stability.

Until the upgrade can be applied, consider monitoring and blocking suspicious RTSP commands that reuse session tokens from different TCP connections to prevent exploitation.

Additionally, restricting network access to the RTSP server and applying firewall rules to limit connections can reduce the attack surface.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized attackers to bypass authorization by replaying valid session tokens, leading to potential denial of service through server crashes or disruption of active streams.

While the CVE description and resources do not explicitly mention impacts on compliance with standards such as GDPR or HIPAA, the ability for attackers to disrupt service or terminate legitimate sessions could affect availability requirements under such regulations.

However, there is no indication from the provided information that this vulnerability leads to unauthorized access to personal data or information disclosure, which are critical factors for compliance with data protection regulations.

Useful 0 Not Useful 0