High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 16, 2026

CVE-2026-35203

Description

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

Affected products

Zlmediakit/Zlmediakit
cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*
Range: <2026-03-29

Patches

435dcbcbbf70

https://github.com/ZLMediaKit/ZLMediaKitvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169dnvdPatch
github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99hnvdVendor AdvisoryExploit

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000