CVE-2026-41470

Vulnerability

LIVE555 RTSP server versions from v2025.01.17 through v2026.04.01 (verified range) contain an authorization bypass in session command handling [1]. The server accepts a valid Session: token on a second TCP connection without requiring authentication, allowing replay of commands like PLAY and TEARDOWN [1][2]. The fix is in v2026.04.22 [3].

Exploitation

An attacker must first obtain a valid Session: token from an authenticated SETUP request (e.g., by sniffing or social engineering) [1]. The attacker then opens a new unauthenticated TCP connection to the server and sends a PLAY or TEARDOWN request with the stolen token. The server responds with RTSP/1.0 200 OK and then crashes due to a stale callback pointer [1]. No authentication is required on the second connection.

Impact

Successful exploitation allows an attacker to disrupt active RTSP streams by terminating victim sessions or cause a denial of service via server crash (signal 11, exit code 139) [1]. The crash is a memory/lifetime safety failure; no code execution or information disclosure has been demonstrated [1][2]. The CVSS v3 score is 5.9 (Medium) [2].

Mitigation

Upgrade to LIVE555 v2026.04.22 or later, which adds authentication checks in PLAY, TEARDOWN, and PAUSE handlers, returning 401 Unauthorized on replay attempts [1][3]. No workaround is available for earlier versions. The fixed version is available from the official download site [3].