CVE-2026-41470

HIGH EPSS 38.2%

Published May 19, 20261mo ago · Modified Jun 17, 20261w ago

8.2 CVSS 4.0

High

Published May 19, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions.

CVSS Details

Base Score

8.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity High

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

38.2% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

References 3

download.live555.com https://download.live555.com/
gist.github.com https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f
vulncheck.com https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.