CVE-2026-35203

Published April 7, 2026 · Updated April 7, 2026

7.5CVSS

high

What This Means

CVE-2026-35203 is a high-severity vulnerability in ZLMediaKit's VP9 RTP payload parser. It allows an attacker to craft a VP9 RTP packet that triggers a heap-buffer overflow, potentially leading to arbitrary code execution. Users should apply the fix from commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d to mitigate this risk.

Official Description+

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buffer-overflow. This vulnerability is fixed with commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-35203.

Related Coverage

Vvulnerability

Heap-Buffer Overflow in ZLMediaKit's VP9 RTP Payload Parser: CVE-2026-35203

CVE-2026-35203 is a high-severity heap-buffer overflow in ZLMediaKit's VP9 RTP payload parser. Exploitation may lead to arbitrary code execution. Apply patch commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d to mitigate.

NVD·8h ago·3 min read