Heap-Buffer Overflow in ZLMediaKit's VP9 RTP Payload Parser: CVE-2026-35203

What Happened

ZLMediaKit, a widely used streaming media service framework, has been found vulnerable to a high-severity heap-buffer overflow, identified as CVE-2026-35203. The vulnerability exists within the VP9 RTP payload parser located in ext-codec/VP9Rtp.cpp. It was initially identified in the framework's handling of specific malformed VP9 RTP packets. These packets trigger the flaw by abusing the framework's handling of flag bits, leading to potential security breaches. The vulnerability was publicly disclosed in October 2026, following its discovery in an internal security audit.

The issue is rooted in how the VP9 RTP payload parser reads multiple fields from the RTP payload based on flags from the first byte. When a crafted packet with a 1-byte payload (0xFF, with all flags set) is processed, it causes the parser to read beyond the end of the buffer, resulting in a heap-buffer overflow. This type of vulnerability can lead to significant security risks, including potential remote code execution.

Technical Details

CVE-2026-35203 affects all recent versions of ZLMediaKit where the vulnerable VP9 RTP payload parser code is present. The flaw arises in the way the parser processes incoming RTP packets, particularly those with crafted payloads designed to exploit the reading mechanism.

The core issue lies in the parser's reliance on flag bits in the first byte of the RTP payload, without adequate verification of data sufficiency in the buffer. This oversight allows a well-crafted packet to induce a read operation past the allocated buffer boundary. The vulnerability has been assigned a CVSS score of 7.5, classifying it as high severity due to the potential for it to be exploited remotely by adversaries with network access to the affected media service.

No specific indicators of compromise (IOCs) have been documented at this time, aside from the detection of unusual or malformed RTP packet structures that could suggest attempts at exploitation. Administrators should remain alert to traffic patterns involving RTP payloads, especially those with non-standard lengths or structures.

Impact

The vulnerability directly impacts users of ZLMediaKit, particularly those enabling VP9 RTP streaming. Its exploitation could lead to arbitrary code execution on the host system, allowing attackers to gain further access or inject malicious code.

Given the broad deployment of ZLMediaKit in streaming infrastructures, the impact could be widespread, affecting service integrity and potentially leading to service disruptions, data exfiltration, or the introduction of persistent threats within the network.

What To Do

• Update ZLMediaKit: Apply the patch introduced in commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d to mitigate the vulnerability.
• Monitor Network Traffic: Inspect RTP flows for anomalous patterns indicating malformed VP9 RTP packets.
• Deploy Network-Level Protections: Utilize intrusion detection systems (IDS) and intrusion prevention systems (IPS) to identify and block attempts to exploit this vulnerability.
• Conduct Security Audits: Review other potential areas of vulnerability within your streaming framework and ensure security patches are routinely applied.

Organizations are urged to apply the patch as soon as possible to eliminate the risk posed by CVE-2026-35203. Proactive monitoring for unusual RTP payload activity should complement the update as a measure to detect and respond to exploitation attempts in real-time.