Description
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes.

We have already fixed the vulnerability in the following version:
Media Streaming Add-on 500.1.1 and later
Published: 2026-03-20
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption and service disruption
Action: Patch
AI Analysis

Impact

The vulnerability is a stack‑based buffer overflow in QNAP's Media Streaming Add‑On that can be triggered by remote entities. When exploited, the flaw allows modification of memory or crash of the streaming process, leading to potential loss of service and device instability. The description does not confirm arbitrary code execution, but memory corruption could provide a foothold for further compromise if additional weaknesses exist.

Affected Systems

The affected product is the Media Streaming Add‑On from QNAP Systems Inc. Versions earlier than 500.1.1 are vulnerable. The fixed release is 500.1.1 and later. Any device running a prior version of the add‑on is at risk.

Risk and Exploitability

The CVSS score of 2.7 categorizes this issue as low severity, and the EPSS score of less than 1% indicates a very low probability of exploitation. It is not listed in the CISA KEV catalog. Exploitation would require remote access to the add‑on, likely via network interfaces exposed by the device. Because the flaw can lead to memory corruption and crashes, it poses a risk of denial of service or, in a worst‑case scenario, sets the stage for further attacks if additional vulnerabilities exist.

Generated by OpenCVE AI on April 14, 2026 at 02:52 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later

OpenCVE Recommended Actions

  • Update the Media Streaming Add‑On to version 500.1.1 or later from QNAP.
  • Verify that the update is applied by checking the add‑on version in the QNAP admin interface.
  • If a new version is not yet available, limit network access to the add‑on or disable it entirely to reduce exposure.
  • Keep an eye on system logs for signs of unexpected crashes or memory corruption that may indicate an attempt to exploit the flaw.

Generated by OpenCVE AI on April 14, 2026 at 02:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap media Streaming Add-on
CPEs cpe:2.3:a:qnap:media_streaming_add-on:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap media Streaming Add-on
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems media Streaming Add-on
Vendors & Products Qnap Systems
Qnap Systems media Streaming Add-on

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later
Title Media Streaming Add-on
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Qnap Media Streaming Add-on
Qnap Systems Media Streaming Add-on
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:00:24.616Z

Reserved: 2025-09-15T08:35:00.660Z

Link: CVE-2025-59383

cve-icon Vulnrichment

Updated: 2026-03-25T14:00:20.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:42.007

Modified: 2026-04-14T01:17:24.170

Link: CVE-2025-59383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:48Z

Weaknesses