Heap Buffer Overflow in ZLMediaKit Streaming Framework
CVE-2026-35203

7.5HIGH

Key Information:

Vendor: Zlmediakit
Status: Zlmediakit
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35203?

A vulnerability exists in the VP9 RTP payload parser of ZLMediaKit, where it mishandles data reading operations. The parser reads fields based solely on flag bits in the first byte, failing to check if enough data is present in the buffer. This flaw can be exploited by sending a specially crafted VP9 RTP packet with a minimal payload. Such an attack could cause the parser to read beyond the allocated buffer, leading to a potential heap buffer overflow and subsequent denial of service or arbitrary code execution risks. The issue has been addressed in recent updates.

Affected Version(s)

ZLMediaKit < 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d

References

https://github.com/ZLMediaKit/ZLMediaKit/security/advisor...

x_refsource_CONFIRM

https://github.com/ZLMediaKit/ZLMediaKit/commit/435dcbcbb...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35203 Data

JSON

Zlmediakit

What is CVE-2026-35203?

Affected Version(s)

References

CVSS V3.1

Timeline