High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 16, 2026
CVE-2026-35203
CVE-2026-35203
Description
ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*range: <2026-03-29
- (no CPE)
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.