{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35203", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-06T19:54:45.052Z", "dateUpdated": "2026-04-07T19:30:51.437Z"}, "containers": {"cna": {"title": "ZLMediaKit VP9 RTP Parser Out-of-Bounds Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h"}, {"name": "https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d", "tags": ["x_refsource_MISC"], "url": "https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d"}], "affected": [{"vendor": "ZLMediaKit", "product": "ZLMediaKit", "versions": [{"version": "< 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:54:45.052Z"}, "descriptions": [{"lang": "en", "value": "ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d."}], "source": {"advisory": "GHSA-gxr3-fwc7-q99h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:30:37.534657Z", "id": "CVE-2026-35203", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:30:51.437Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35203", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T19:30:37.534657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:30:47.165Z"}}], "cna": {"title": "ZLMediaKit VP9 RTP Parser Out-of-Bounds Read", "source": {"advisory": "GHSA-gxr3-fwc7-q99h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ZLMediaKit", "product": "ZLMediaKit", "versions": [{"status": "affected", "version": "< 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d"}]}], "references": [{"url": "https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h", "name": "https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d", "name": "https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:54:45.052Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35203", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:30:51.437Z", "dateReserved": "2026-04-01T18:48:58.937Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T19:54:45.052Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6E40C41-1CFE-4C61-9948-9BC843FBF1BC", "versionEndExcluding": "2026-03-29", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d."}], "id": "CVE-2026-35203", "lastModified": "2026-04-16T04:21:41.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T20:16:28.057", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ZLMediaKit", "source": "cna", "vendor": "ZLMediaKit"}, "product": "zlmediakit", "vendor": "zlmediakit"}], "analysis": {"en": {"generated_at": "2026-04-07T02:51:23.312867+00:00", "value": {"mitigation_remediation": ["Apply the patch that incorporates commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d or upgrade to a release that includes the fix.", "If updating is not feasible, block incoming VP9 RTP packets to the affected server with firewall rules or network segmentation.", "Confirm that the installed binary does not include the vulnerable function by reviewing the source tree or version notes.", "Monitor the system for crashes or abnormal memory usage that could indicate exploitation attempts and review logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "All versions of ZLMediaKit that include the ext\u2011codec/VP9Rtp.cpp component before the patch commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d are affected, regardless of the deployment environment. The vulnerability applies to any build that processes VP9 RTP streams. No explicit version numbers are listed, so any release before the fix should be considered vulnerable.", "description_and_impact": "A VP9 RTP payload parser in ZLMediaKit reads fields based on flag bits without verifying the payload length. A crafted packet with a single byte payload and all flags set causes the parser to read past the allocated buffer, creating a heap\u2011buffer-overflow. While the description states only a memory corruption, such an overflow can lead to crashes or, if an attacker can influence subsequent heap usage, potential remote code execution. The weakness is identified as CWE\u2011125.", "risk_and_exploitability": "The CVSS score of 7.5 indicates moderate\u2011to\u2011high severity. Attackers can deliver a malicious VP9 RTP packet over the network to trigger the overflow, as the flaw relies on network\u2011exposed parsing logic. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The description suggests that exploitation is possible through crafted network traffic, though no public exploits are currently reported."}}}}, "created": "2026-04-07T06:54:17.896189+00:00", "updated": "2026-04-07T09:37:19.254829+00:00", "vendors": ["zlmediakit", "zlmediakit$PRODUCT$zlmediakit"]}