CVE-2026-35203

Published: Apr 6, 2026

Modified: Apr 7, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

Vendor	Product	Versions
ZLMediaKit	ZLMediaKit	affected `< 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d`

Weaknesses (CWE)

CWE-125

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h

x_refsource_CONFIRM

https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-35203

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References