[Live-devel] Potential use-after-free vulnerabilities in LIVE555 (2026.02.26)

lty23 at mails.tsinghua.edu.cn lty23 at mails.tsinghua.edu.cn
Fri Mar 20 13:46:39 PDT 2026 

Dear LIVE555 maintainers,




I am a software security researcher and I would like to report two potential use-after-free vulnerabilities discovered in the latest version (2026.02.26) of LIVE555.




1. Use-after-free in SocketDescriptor::tcpReadHandler1




A use-after-free in the SocketDescriptor::tcpReadHandler1 function (liveMedia/RTPInterface.cpp:536) of LIVE555 (of version 2026.02.26) allows attackers to cause a Denial of Service (DoS) via sending crafted RTSP and HTTP requests to the server.




The buffer is allocated in the RTSPServer::createNewClientConnection function (liveMedia/RTSPServer.cpp:2022:10) and freed in the RTSPServer::RTSPClientConnection::~RTSPClientConnection function (liveMedia/RTSPServer.cpp:341:59).




2. Use-after-free in RTPInterface::sendDataOverTCP




A use-after-free in the RTPInterface::sendDataOverTCP function (liveMedia/RTPInterface.cpp:383) of LIVE555 (of version 2026.02.26) allows attackers to cause a Denial of Service (DoS) via sending crafted RTSP requests to the server.




The buffer is allocated in the RTSPServer::createNewClientConnection function (liveMedia/RTSPServer.cpp:2022:10) and freed in the RTSPServer::RTSPClientConnection::~RTSPClientConnection function (liveMedia/RTSPServer.cpp:341:59).




These two vulnerabilities appear to share the same allocation and deallocation sites. I am not sure whether they stem from the same root cause or should be treated as distinct vulnerabilities.




I have attached a PoC package (live555-poc.zip), which includes the reproduction steps and GDB crash outputs.




Best regards,

Tianyang Liu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20260321/cfb649c7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: live555-poc.zip
Type: application/x-zip-compressed
Size: 2468292 bytes
Desc: not available
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20260321/cfb649c7/attachment-0001.bin>

More information about the live-devel mailing list