CVE-2026-35203
Published: 06 April 2026
Summary
CVE-2026-35203 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Zlmediakit Zlmediakit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of known flaws like the heap buffer overflow in ZLMediaKit's VP9 RTP parser to prevent exploitation.
Mandates validation of RTP payload lengths and formats before parsing based on flag bits to avoid reading past buffer boundaries.
Implements runtime memory protections such as address space layout randomization or stack canaries to mitigate heap buffer overflow impacts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing media streaming service via crafted RTP packet directly enables T1190 (Exploit Public-Facing Application) and results in application crash/DoS via T1499.004 (Application or System Exploitation).
NVD Description
ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted…
more
VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.
Deeper analysisAI
CVE-2026-35203 is a heap buffer overflow vulnerability in ZLMediaKit, an open-source streaming media service framework. The issue resides in the VP9 RTP payload parser implemented in the file ext-codec/VP9Rtp.cpp. This parser reads multiple fields from the RTP payload based on flag bits in the first byte without verifying that sufficient data exists in the buffer. A specially crafted VP9 RTP packet with a 1-byte payload (0xFF, setting all flags) triggers reads past the end of the allocated buffer, leading to the overflow. The vulnerability is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. By sending a malicious VP9 RTP packet to a vulnerable ZLMediaKit instance, the attacker triggers the heap buffer overflow, which disrupts availability by causing a denial-of-service condition, such as application crashes or service instability. No privileges are needed, and the impact is confined to the affected component without data disclosure or modification.
Mitigation is available through a patch in commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d on the ZLMediaKit GitHub repository. Security practitioners should update to a version incorporating this fix. Additional details are provided in the project's security advisory at GHSA-gxr3-fwc7-q99h.
Details
- CWE(s)