CVE-2025-65408 Overview
A NULL pointer dereference vulnerability has been identified in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02. This vulnerability allows remote attackers to cause a Denial of Service (DoS) condition by supplying a specially crafted ADTS (Audio Data Transport Stream) file to the affected streaming media server.
Live555 is a widely-used open-source library for streaming media, commonly integrated into multimedia applications, surveillance systems, and embedded devices. The vulnerability stems from improper handling of malformed audio file input, leading to a NULL pointer dereference that crashes the application.
Critical Impact
Remote attackers can crash Live555 Streaming Media servers without authentication by supplying a malicious ADTS audio file, causing service disruption for all connected clients.
Affected Products
- Live555 Streaming Media v2018.09.02
- Applications and systems integrating vulnerable Live555 library versions
- Media streaming servers and embedded devices using affected Live555 components
Discovery Timeline
- 2025-12-01 - CVE-2025-65408 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-65408
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption issue that occurs when a program attempts to read or write data through a NULL memory pointer. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
The CVSS metrics indicate:
- Attack Vector (AV): Network - The vulnerability is exploitable remotely
- Attack Complexity (AC): Low - No specialized conditions required
- Privileges Required (PR): None - No authentication needed
- User Interaction (UI): Required - A user must process the malicious file
- Scope (S): Unchanged - Impact limited to the vulnerable component
- Confidentiality (C): None - No data disclosure
- Integrity (I): None - No data modification
- Availability (A): High - Complete denial of service
The EPSS (Exploit Prediction Scoring System) probability is 0.049% (15th percentile), indicating a relatively low likelihood of exploitation in the wild.
Root Cause
The root cause of CVE-2025-65408 lies in insufficient input validation within the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function. When processing ADTS audio files, the function fails to properly validate that required objects or memory allocations have succeeded before dereferencing pointers.
ADTS is a format used for streaming AAC audio content. When a malformed ADTS file with unexpected or missing header information is processed, internal parsing routines may return NULL instead of valid object pointers. The createNewRTPSink() function then attempts to use these NULL pointers without checking their validity, resulting in a crash.
Attack Vector
The attack vector for this vulnerability involves network-based exploitation where an attacker supplies a crafted ADTS audio file to a Live555 streaming server. The attack scenario typically unfolds as follows:
- The attacker crafts a malicious ADTS file with malformed header structures or invalid audio frame parameters
- The crafted file is submitted to the vulnerable Live555 server for streaming
- When the server attempts to create an RTP sink for the audio stream, the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function is called
- The malformed input causes internal parsing to fail and return NULL pointers
- The function dereferences the NULL pointer, triggering a segmentation fault or access violation
- The streaming server crashes, denying service to all connected clients
The vulnerability mechanism involves the ADTS parsing component failing to allocate or initialize required data structures when encountering malformed audio headers. Without proper NULL checks before pointer dereferencing, the application crashes when attempting to access memory at address 0x0. For detailed technical analysis, refer to the vulnerability documentation on Shimo.
Detection Methods for CVE-2025-65408
Indicators of Compromise
- Application crashes or segmentation faults in Live555 streaming processes
- Core dumps containing stack traces pointing to ADTSAudioFileServerMediaSubsession::createNewRTPSink()
- Unusual or malformed ADTS files in upload directories or streaming queues
- Repeated streaming service restarts or availability issues
- Log entries indicating failed RTP sink creation for audio streams
Detection Strategies
Organizations can implement several detection strategies to identify exploitation attempts:
Process Monitoring: Monitor Live555-based processes for unexpected crashes or restarts. Implement automatic alerting when streaming services become unavailable or generate crash dumps.
File Analysis: Implement content inspection for ADTS files being processed by the streaming server. Flag files with malformed headers, invalid frame lengths, or suspicious structural anomalies.
Network Traffic Analysis: Monitor incoming media file uploads and streaming requests for patterns consistent with fuzzing or exploitation attempts. Watch for repeated failed streaming attempts from the same source.
System Logging: Enable detailed logging for the Live555 media subsystem to capture error conditions that precede crashes.
Monitoring Recommendations
SentinelOne customers can leverage the Singularity platform to monitor for exploitation attempts targeting this vulnerability:
- Behavioral Detection: SentinelOne's behavioral AI can detect application crash patterns and anomalous process terminations associated with NULL pointer dereference exploits
- Endpoint Telemetry: Monitor for crash events in processes linked against vulnerable Live555 libraries
- File Inspection: Use SentinelOne's file analysis capabilities to identify malformed media files before processing
- Application Control: Implement allowlisting policies to control which media files can be processed by streaming servers
How to Mitigate CVE-2025-65408
Immediate Actions Required
- Identify all systems running Live555 Streaming Media v2018.09.02 or applications using this library version
- Update to the latest version of Live555 that includes fixes for NULL pointer handling
- Implement input validation to reject malformed ADTS files before processing
- Consider deploying a web application firewall (WAF) or media proxy to filter malicious file uploads
- Enable crash monitoring and automatic service recovery for affected streaming services
Patch Information
Organizations should update to a patched version of Live555 Streaming Media. The official Live555 source repository is available at https://github.com/rgaufman/live555. Review the commit history for patches addressing NULL pointer dereference issues in the ADTS audio subsystem.
When updating, ensure all dependent applications that link against the Live555 library are recompiled or updated to use the patched version. Test thoroughly in a staging environment before deploying to production streaming infrastructure.
Workarounds
If immediate patching is not feasible, consider the following workarounds to reduce exposure:
Disable ADTS Audio Support: If ADTS audio streaming is not required, disable the ADTSAudioFileServerMediaSubsession component in your Live555 configuration.
Implement Input Validation: Deploy a preprocessing layer that validates ADTS file integrity before passing files to the Live555 server. Reject files with malformed headers or invalid frame structures.
Network Segmentation: Isolate streaming servers from untrusted networks and implement strict access controls for media file uploads.
Resource Limits: Configure process supervisors (systemd, supervisord) to automatically restart crashed streaming processes while alerting administrators to potential attacks.
Rate Limiting: Implement rate limiting on media upload endpoints to slow down potential exploitation or fuzzing attempts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
