VYPR
High severity7.5NVD Advisory· Published Apr 6, 2026· Updated Apr 16, 2026

CVE-2026-35203

CVE-2026-35203

Description

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*range: <2026-03-29
    • (no CPE)

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.