CVE-2026-35203 - Vulnerability Details

- ZLMediaKit VP9 RTP Parser Out-of-Bounds Read

Description

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

Published: 2026-04-06

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A VP9 RTP payload parser in ZLMediaKit reads fields based on flag bits without verifying the payload length. A crafted packet with a single byte payload and all flags set causes the parser to read past the allocated buffer, creating a heap‑buffer-overflow. While the description states only a memory corruption, such an overflow can lead to crashes or, if an attacker can influence subsequent heap usage, potential remote code execution. The weakness is identified as CWE‑125.

Affected Systems

All versions of ZLMediaKit that include the ext‑codec/VP9Rtp.cpp component before the patch commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d are affected, regardless of the deployment environment. The vulnerability applies to any build that processes VP9 RTP streams. No explicit version numbers are listed, so any release before the fix should be considered vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate‑to‑high severity. Attackers can deliver a malicious VP9 RTP packet over the network to trigger the overflow, as the flaw relies on network‑exposed parsing logic. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description suggests that exploitation is possible through crafted network traffic, though no public exploits are currently reported.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ZLMediaKit

affected

Version	Status	Constraints
`< 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d`	affected	—

No data.

Vendor Product Confidence Versions

Zlmediakit

100%

Version	Status	Scheme	Platform
`[0,435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d)`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch that incorporates commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d or upgrade to a release that includes the fix.
If updating is not feasible, block incoming VP9 RTP packets to the affected server with firewall rules or network segmentation.
Confirm that the installed binary does not include the vulnerable function by reviewing the source tree or version notes.
Monitor the system for crashes or abnormal memory usage that could indicate exploitation attempts and review logs for suspicious activity.

Generated by OpenCVE AI on April 7, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d
https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h

History

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zlmediakit Zlmediakit zlmediakit
Vendors & Products		Zlmediakit Zlmediakit zlmediakit

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.
Title		ZLMediaKit VP9 RTP Parser Out-of-Bounds Read
Weaknesses		CWE-125
References		https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Zlmediakit Zlmediakit

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T19:54:45.052Z

Updated: 2026-04-07T19:30:51.437Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35203

Vulnrichment

Updated: 2026-04-07T19:30:47.165Z

NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:28.057

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35203

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T09:37:19Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object