Description
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C.

This issue affects anyRTC-RTMP-OpenSource: before 1.0.
Published: 2026-01-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Buffer Overflow leading to potential arbitrary code execution
Action: Patch
AI Analysis

Impact

The vulnerability is an Improper Restriction of Operations within the Bounds of a Memory Buffer identified in the faad2-2.7/libfaad libraries used by anyRTC-RTMP-OpenSource. The flaw allows a buffer over‑read or overflow when processing certain input files, specifically bits.C or syntax.C. This kind of memory corruption can lead to information disclosure, denial of service, or if exploited correctly, arbitrary code execution, depending on the context in which the overrun occurs.

Affected Systems

Affected products are anyRTC-RTMP-OpenSource from anyrtcIO-Community, all releases prior to 1.0. The flaw is located in the third_party/faad2-2.7/libfaad modules that parse media stream files. Users running older versions of the open‑source RTMP server or client components are impacted; newer releases beyond 1.0 have the fix applied.

Risk and Exploitability

The CVSS score of 8.7 places this issue in the high‑severity range. The EPSS score of less than 1% indicates low current exploitation probability, and the vulnerability is not yet listed in CISA’s KEV catalog. However, given that the flaw resides in a media decoding library that may be invoked by remote clients, the likely attack vector is remotely provided media streams. Even though exploitation success is uncertain without further details, the combination of high impact and potential remote trigger warrants timely mitigation.

Generated by OpenCVE AI on April 18, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade anyRTC-RTMP-OpenSource to 1.0 or later to apply the vendor patch.
  • Configure media stream input handlers to reject or quarantine incoming streams originating from untrusted sources until the patch is applied.
  • Implement network‑level restrictions or authentication to limit access to media stream endpoints, reducing the potential attack surface during the remediation period.

Generated by OpenCVE AI on April 18, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Anyrtcio-community
Anyrtcio-community anyrtc-rtmp-opensource
Vendors & Products Anyrtcio-community
Anyrtcio-community anyrtc-rtmp-opensource

Tue, 27 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C. This issue affects anyRTC-RTMP-OpenSource: before 1.0.
Title A heap-based buffer over-read or buffer overflow in tildearrow/furnace
Weaknesses CWE-119
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:L/U:Amber'}

Subscriptions

Anyrtcio-community Anyrtc-rtmp-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T21:40:07.901Z

Reserved: 2026-01-27T08:03:38.776Z

Link: CVE-2026-1465

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:48.330

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1465

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses