Description
RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.
Published: 2026-07-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RAOP module in PipeWire accepts unbounded Content-Length values without validating the pw_array_add() return, leading to a null pointer dereference. This flaw causes the PipeWire to experience a denial of service. The weakness is classified as CWE-476.

Affected Systems

The vulnerability applies to Red Hat Enterprise Linux 8, 9, and 10 systems that include PipeWire’s RAOP modules for AirPlay streaming. The affected modules are module-raop-discover and module-raop-sink.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and no EPSS score is available. The vulnerability is not listed in CISA’s KEV catalog, implying limited public exploitation data. The CVE description does not explicitly state the attack vector, but the flaw involves the RAOP module accepting unbounded Content-Length values, which may lead to a null pointer dereference.

Generated by OpenCVE AI on July 2, 2026 at 16:06 UTC.

Remediation

Vendor Workaround

If AirPlay streaming is not required, unload or disable the module-raop-discover and module-raop-sink PipeWire modules.


OpenCVE Recommended Actions

  • Unload or disable PipeWire modules module-raop-discover and module-raop-sink if AirPlay streaming is not required.
  • Apply the latest PipeWire update or Red Hat patch that resolves the null pointer dereference in the RAOP module.
  • Restrict network access to the RTSP/RAOP port or disable AirPlay services entirely until the patch is applied.

Generated by OpenCVE AI on July 2, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 01 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.
Title Pipewire: raop rtsp null deref
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-476
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-01T17:25:35.992Z

Reserved: 2026-07-01T12:14:59.165Z

Link: CVE-2026-14324

cve-icon Vulnrichment

Updated: 2026-07-01T16:15:26.350Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-01T00:00:00Z

Links: CVE-2026-14324 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T16:15:03Z

Weaknesses