{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1465", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:03:38.776Z", "datePublished": "2026-01-27T08:15:57.520Z", "dateUpdated": "2026-01-27T21:40:07.901Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource", "defaultStatus": "unaffected", "modules": ["third_party/faad2-2.7/libfaad"], "product": "anyRTC-RTMP-OpenSource", "programFiles": ["bits.c", "syntax.c"], "vendor": "anyrtcIO-Community", "versions": [{"lessThan": "1.0", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "datePublic": "2026-01-27T08:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules).<p> This vulnerability is associated with program files <tt>bits.C</tt>, <tt>syntax.C</tt>.</p><p>This issue affects anyRTC-RTMP-OpenSource: before 1.0.</p>"}], "value": "Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C.\n\nThis issue affects anyRTC-RTMP-OpenSource: before 1.0."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:15:57.520Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource/pull/166"}], "source": {"discovery": "UNKNOWN"}, "title": "A heap-based buffer over-read or buffer overflow in tildearrow/furnace", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:10:34.788455Z", "id": "CVE-2026-1465", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:40:07.901Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C.\n\nThis issue affects anyRTC-RTMP-OpenSource: before 1.0."}, {"lang": "es", "value": "Vulnerabilidad de Restricci\u00f3n Inadecuada de Operaciones dentro de los L\u00edmites de un B\u00fafer de Memoria en anyrtcIO-Community anyRTC-RTMP-OpenSource (m\u00f3dulos third_party/faad2-2.7/libfaad). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa bits.C, syntax.C.\n\nEste problema afecta a anyRTC-RTMP-OpenSource: antes de 1.0."}], "id": "CVE-2026-1465", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:48.330", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource/pull/166"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:49:23.823683+00:00", "value": {"mitigation_remediation": ["Upgrade anyRTC-RTMP-OpenSource to 1.0 or later to apply the vendor patch.", "Configure media stream input handlers to reject or quarantine incoming streams originating from untrusted sources until the patch is applied.", "Implement network\u2011level restrictions or authentication to limit access to media stream endpoints, reducing the potential attack surface during the remediation period."], "summary": {"action": "Patch", "impact": "Buffer Overflow leading to potential arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Affected products are anyRTC-RTMP-OpenSource from anyrtcIO-Community, all releases prior to 1.0. The flaw is located in the third_party/faad2-2.7/libfaad modules that parse media stream files. Users running older versions of the open\u2011source RTMP server or client components are impacted; newer releases beyond 1.0 have the fix applied.", "description_and_impact": "The vulnerability is an Improper Restriction of Operations within the Bounds of a Memory Buffer identified in the faad2-2.7/libfaad libraries used by anyRTC-RTMP-OpenSource. The flaw allows a buffer over\u2011read or overflow when processing certain input files, specifically bits.C or syntax.C. This kind of memory corruption can lead to information disclosure, denial of service, or if exploited correctly, arbitrary code execution, depending on the context in which the overrun occurs.", "risk_and_exploitability": "The CVSS score of 8.7 places this issue in the high\u2011severity range. The EPSS score of less than 1% indicates low current exploitation probability, and the vulnerability is not yet listed in CISA\u2019s KEV catalog. However, given that the flaw resides in a media decoding library that may be invoked by remote clients, the likely attack vector is remotely provided media streams. Even though exploitation success is uncertain without further details, the combination of high impact and potential remote trigger warrants timely mitigation."}}}}, "created": "2026-01-27T20:16:46.854910+00:00", "updated": "2026-04-18T19:00:08.035018+00:00", "vendors": ["anyrtcio-community", "anyrtcio-community$PRODUCT$anyrtc-rtmp-opensource"]}