Bug 2430836 (CVE-2026-1200)

Summary:	CVE-2026-1200 live555: live555: Remote Code Execution via segmentation fault in increaseBufferTo function
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	Keywords:	Security
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in the rgaufman/live555 fork of live555. A remote attacker could exploit a segmentation fault, in the `increaseBufferTo` function. This vulnerability can lead to memory corruption problems and potentially other consequences.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2430842, 2430843, 2430844, 2430845
Bug Blocks:

Description OSIDB Bzimport 2026-01-19 14:14:57 UTC

live555 1.13 is affected by SEGV when executing function increaseBufferTo. This may result in remote code execution.

Summary
A segmentation fault was found in live555

Details
uname -a:
Linux ubuntu 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

git last commit:
commit a0eb8f9
Author: Roman Gaufman roman
Date: Tue Oct 29 16:47:37 2024 +0000

poc_45545329.zip

poc_45545329.zip

run this command to reproduce：
valgrind ./testProgs/testOnDemandRTSPServer
aflnet-replay poc RTSP 8554

information from valgrind:
=== Validation Session: ./testOnDemandRTSPServer with replay ===
==2783== Memcheck, a memory error detector
==2783== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2783== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2783== Command: ./testOnDemandRTSPServer 8554
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x4DD39F: increaseBufferTo(UsageEnvironment&, int, int, unsigned int) (GroupsockHelper.cpp:522)
==2783== by 0x4AF7E1: OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, TLSState*, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) (OnDemandServerMediaSubsession.cpp:214)
==2783== by 0x40F39D: RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) (RTSPServer.cpp:1588)
==2783== by 0x40DE15: RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup1(ServerMediaSession*) (RTSPServer.cpp:1404)
==2783== by 0x4AB631: GenericMediaServer::lookupServerMediaSession(char const*, void ()(void, ServerMediaSession*), void*, unsigned char) (GenericMediaServer.cpp:48)
==2783== by 0x40D273: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:890)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a stack allocation
==2783== at 0x4AED70: OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, TLSState*, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) (OnDemandServerMediaSubsession.cpp:123)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x439095: WAVAudioFileServerMediaSubsession::testScaleFactor(float&) (WAVAudioFileServerMediaSubsession.cpp:214)
==2783== by 0x41092B: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1796)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x410AE1: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1820)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x410B6C: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1829)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x410BF7: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1831)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783==
==2783== Process terminating with default action of signal 15 (SIGTERM)
==2783== at 0x501E19A: select (select.c:41)
==2783== by 0x4E878F: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:90)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783==
==2783== HEAP SUMMARY:
==2783== in use at exit: 48,725 bytes in 551 blocks
==2783== total heap usage: 2,241 allocs, 1,690 frees, 462,148 bytes allocated
==2783==
==2783== LEAK SUMMARY:
==2783== definitely lost: 0 bytes in 0 blocks
==2783== indirectly lost: 0 bytes in 0 blocks
==2783== possibly lost: 0 bytes in 0 blocks
==2783== still reachable: 48,725 bytes in 551 blocks
==2783== suppressed: 0 bytes in 0 blocks
==2783== Reachable blocks (those to which a pointer was found) are not shown.
==2783== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2783==
==2783== For lists of detected and suppressed errors, rerun with: -s
==2783== ERROR SUMMARY: 15 errors from 5 contexts (suppressed: 0 from 0)

Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.

Comment 2 Dominik 'Rathann' Mierzejewski 2026-02-14 21:23:57 UTC

(In reply to OSIDB Bzimport from comment #0)
> live555 1.13 is affected by SEGV when executing function increaseBufferTo.
> This may result in remote code execution.

There's no such thing as live555 1.13

> Summary
> A segmentation fault was found in live555
> 
> Details
> uname -a:
> Linux ubuntu 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025
> x86_64 x86_64 x86_64 GNU/Linux
> 
> git last commit:
> commit a0eb8f9
> Author: Roman Gaufman roman
> Date: Tue Oct 29 16:47:37 2024 +0000

This is not the author of live555 and they don't provide a public git repo, only source tarballs.

This was reported to an unofficial live555 fork hosted on GitHub (https://github.com/rgaufman/live555/), but not to the original upstream.

Upstream does not consider issues reported against unofficial forks as actionable: http://lists.live555.com/pipermail/live-devel/2026-February/022783.html .