CVE-2026-7739
Denial of Service in tsMuxer via HevcVpsUnit::setFPS
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| justdan96 | tsmuxer | to 2.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the tsMuxer software up to version 2.7.0, specifically in the function HevcVpsUnit::setFPS within the hevc.cpp file. It involves improper handling of the argument track_id, which can be manipulated to cause a denial of service (DoS) condition. The issue arises from an invalid assertion failure when setting the frames per second (FPS) value in an HEVC stream, leading to a crash or service disruption.
The attack requires local access to the system and exploits a weakness in processing FPS values, such as setting an invalid FPS like 0.435298, which triggers an internal error.
Additionally, the software is no longer supported by its maintainer, which means no official patches or fixes are available.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) on systems running affected versions of tsMuxer by crashing the application when processing manipulated input values. Since the attack requires local access, an attacker with such access could disrupt the normal operation of the software, potentially interrupting media processing workflows.
Because the software is no longer maintained, affected users cannot rely on official updates or patches to mitigate this issue, increasing the risk of continued exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the function HevcVpsUnit::setFPS in tsMuxer and can be triggered by manipulating the argument track_id, causing a denial of service. Detection involves identifying attempts to exploit this function, which requires local access.
Since the issue is related to a failed assertion in the HEVC module when setting FPS, monitoring application logs for errors related to HevcVpsUnit::setFPS or assertion failures in hevc.cpp (line 234) can help detect exploitation attempts.
There is a publicly available proof-of-concept (PoC) exploit file that can be used to test if a system is vulnerable.
Suggested commands to detect the vulnerability or test the system include running the PoC exploit in a controlled environment and monitoring for crashes or denial of service. For example, using debugging tools or running tsMuxer with the PoC file and compiler flags for debugging as described in the GitHub issue.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability requires local access and affects unsupported versions of tsMuxer up to 2.7.0, immediate mitigation steps include restricting local access to the affected system and avoiding use of the vulnerable tsMuxer versions.
Because the maintainer has archived the repository and no updates are available, consider removing or replacing tsMuxer with a supported alternative.
Monitor for any unusual crashes or denial of service symptoms related to tsMuxer and apply strict access controls to prevent unauthorized local usage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.