Bug 2430836 (CVE-2026-1200) - CVE-2026-1200 live555: live555: Remote Code Execution via segmentation fault in increaseBufferTo function
Summary: CVE-2026-1200 live555: live555: Remote Code Execution via segmentation fault ...
Keywords:
Status: NEW
Alias: CVE-2026-1200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2430842 2430843 2430844 2430845
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-19 14:14 UTC by OSIDB Bzimport
Modified: 2026-01-19 14:56 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-19 14:14:57 UTC 
live555 1.13 is affected by SEGV when executing function increaseBufferTo. This may result in remote code execution.

Summary
A segmentation fault was found in live555

Details
uname -a:
Linux ubuntu 5.15.0-136-generic #147-Ubuntu SMP Sat Mar 15 15:53:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

git last commit:
commit a0eb8f9
Author: Roman Gaufman roman
Date: Tue Oct 29 16:47:37 2024 +0000

poc_45545329.zip

poc_45545329.zip

run this command to reproduce:
valgrind ./testProgs/testOnDemandRTSPServer
aflnet-replay poc RTSP 8554

information from valgrind:
=== Validation Session: ./testOnDemandRTSPServer with replay ===
==2783== Memcheck, a memory error detector
==2783== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2783== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==2783== Command: ./testOnDemandRTSPServer 8554
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x4DD39F: increaseBufferTo(UsageEnvironment&, int, int, unsigned int) (GroupsockHelper.cpp:522)
==2783== by 0x4AF7E1: OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, TLSState*, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) (OnDemandServerMediaSubsession.cpp:214)
==2783== by 0x40F39D: RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) (RTSPServer.cpp:1588)
==2783== by 0x40DE15: RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup1(ServerMediaSession*) (RTSPServer.cpp:1404)
==2783== by 0x4AB631: GenericMediaServer::lookupServerMediaSession(char const*, void ()(void, ServerMediaSession*), void*, unsigned char) (GenericMediaServer.cpp:48)
==2783== by 0x40D273: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:890)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a stack allocation
==2783== at 0x4AED70: OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, TLSState*, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) (OnDemandServerMediaSubsession.cpp:123)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x439095: WAVAudioFileServerMediaSubsession::testScaleFactor(float&) (WAVAudioFileServerMediaSubsession.cpp:214)
==2783== by 0x41092B: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1796)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x410AE1: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1820)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x410B6C: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1829)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783== Conditional jump or move depends on uninitialised value(s)
==2783== at 0x410BF7: RTSPServer::RTSPClientSession::handleCmd_PLAY(RTSPServer::RTSPClientConnection*, ServerMediaSubsession*, char const*) (RTSPServer.cpp:1831)
==2783== by 0x410319: RTSPServer::RTSPClientSession::handleCmd_withinSession(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*, char const*) (RTSPServer.cpp:1742)
==2783== by 0x40D457: RTSPServer::RTSPClientConnection::handleRequestBytes(int) (RTSPServer.cpp:999)
==2783== by 0x4AD02B: GenericMediaServer::ClientConnection::incomingRequestHandler() (GenericMediaServer.cpp:323)
==2783== by 0x4E8EF2: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:171)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783== Uninitialised value was created by a heap allocation
==2783== at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==2783== by 0x4382A6: WAVAudioFileServerMediaSubsession::createNew(UsageEnvironment&, char const*, unsigned char, unsigned char) (WAVAudioFileServerMediaSubsession.cpp:30)
==2783== by 0x40432C: main (testOnDemandRTSPServer.cpp:213)
==2783==
==2783==
==2783== Process terminating with default action of signal 15 (SIGTERM)
==2783== at 0x501E19A: select (select.c:41)
==2783== by 0x4E878F: BasicTaskScheduler::SingleStep(unsigned int) (BasicTaskScheduler.cpp:90)
==2783== by 0x4ED2EB: BasicTaskScheduler0::doEventLoop(char volatile*) (BasicTaskScheduler0.cpp:87)
==2783== by 0x405465: main (testOnDemandRTSPServer.cpp:462)
==2783==
==2783== HEAP SUMMARY:
==2783== in use at exit: 48,725 bytes in 551 blocks
==2783== total heap usage: 2,241 allocs, 1,690 frees, 462,148 bytes allocated
==2783==
==2783== LEAK SUMMARY:
==2783== definitely lost: 0 bytes in 0 blocks
==2783== indirectly lost: 0 bytes in 0 blocks
==2783== possibly lost: 0 bytes in 0 blocks
==2783== still reachable: 48,725 bytes in 551 blocks
==2783== suppressed: 0 bytes in 0 blocks
==2783== Reachable blocks (those to which a pointer was found) are not shown.
==2783== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==2783==
==2783== For lists of detected and suppressed errors, rerun with: -s
==2783== ERROR SUMMARY: 15 errors from 5 contexts (suppressed: 0 from 0)

Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
Note You need to log in before you can comment on or make changes to this bug.