CVE-2026-41470 Overview
CVE-2026-41470 is an authorization bypass vulnerability in LIVE555 before version 2026.04.22. The flaw resides in the Real Time Streaming Protocol (RTSP) session command handling logic. Attackers can replay valid Session tokens captured from unauthenticated connections to issue commands on a second Transmission Control Protocol (TCP) connection without authentication. Successful exploitation lets attackers send PLAY and TEARDOWN commands that crash the server through virtual function call errors or disrupt active streams by terminating victim sessions. The vulnerability is classified under CWE-863: Incorrect Authorization and affects deployments using LIVE555 as an RTSP streaming server.
Critical Impact
Remote unauthenticated attackers can crash LIVE555 RTSP servers or disconnect legitimate streaming clients by replaying captured session tokens over a separate TCP connection.
Affected Products
- LIVE555 streaming media library before version 2026.04.22
- RTSP server implementations built on LIVE555
- Embedded devices and applications bundling vulnerable LIVE555 builds
Discovery Timeline
- 2026-05-19 - CVE-2026-41470 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in the NVD database
Technical Details for CVE-2026-41470
Vulnerability Analysis
LIVE555 is a widely deployed C++ library that implements RTSP, Real-time Transport Protocol (RTP), and Real-Time Control Protocol (RTCP) for streaming media. The vulnerability stems from how the server validates the Session header on incoming RTSP requests. The server treats any client presenting a known Session token as the legitimate owner of that session. It does not bind the session to the originating TCP connection or to authentication state. Attackers who observe a valid Session token can open a separate TCP connection and submit commands against that session identifier.
Two exploitation outcomes are documented. Sending a crafted PLAY or TEARDOWN on the second connection can trigger a virtual function call against an object in an inconsistent state, crashing the server process. Alternatively, a TEARDOWN cleanly terminates the active stream, denying service to the legitimate viewer without crashing the daemon.
Root Cause
The root cause is missing authorization enforcement on session-scoped RTSP commands. The handler relies on the secrecy of the Session token rather than verifying that the issuing connection authenticated and originally established the session. Session tokens are not cryptographically bound to a client identity or transport channel.
Attack Vector
The attack is network-reachable and requires no privileges or user interaction. An attacker must first obtain a valid Session token, which may be exposed in unauthenticated DESCRIBE/SETUP exchanges, observable on the network, or recoverable from logs. With the token in hand, the attacker connects to the RTSP listener on TCP port 554 (or the configured port) and issues PLAY or TEARDOWN referencing the captured session. Refer to the VulnCheck Advisory on LIVE555 and the proof-of-concept gist for protocol-level details.
Detection Methods for CVE-2026-41470
Indicators of Compromise
- Multiple TCP connections to the RTSP port referencing the same Session identifier from different source addresses or ports
- Unexpected TEARDOWN requests terminating active streams during normal viewing windows
- LIVE555 process crashes with stack traces showing virtual function call failures in session command handlers
- RTSP server restarts or supervised respawns coincident with inbound PLAY/TEARDOWN traffic from unfamiliar peers
Detection Strategies
- Inspect RTSP traffic for Session header reuse across distinct TCP 5-tuples and flag mismatches between session owner and command issuer
- Correlate RTSP server crash events with preceding PLAY or TEARDOWN requests in network packet captures or proxy logs
- Alert on RTSP commands arriving without a preceding SETUP on the same connection that established the session
Monitoring Recommendations
- Forward RTSP server logs and crash reports to a centralized analytics platform for correlation with network telemetry
- Capture full-packet RTSP traffic on streaming infrastructure to support retrospective investigation of session abuse
- Monitor service availability metrics for streaming endpoints to identify abnormal session terminations
How to Mitigate CVE-2026-41470
Immediate Actions Required
- Upgrade LIVE555 to version 2026.04.22 or later, available from the LIVE555 Download Resource
- Rebuild and redeploy any downstream applications, firmware images, or container images that statically link LIVE555
- Restrict network exposure of RTSP listeners to trusted management networks until patching is complete
- Audit deployed devices and software bills of materials (SBOMs) for embedded LIVE555 components
Patch Information
The LIVE555 maintainers addressed the issue in the 2026.04.22 release. The fix enforces that session-scoped RTSP commands originate from the connection that authenticated and established the session. Operators should obtain source archives from the official LIVE555 download site and rebuild dependent binaries.
Workarounds
- Place the RTSP server behind an authenticating reverse proxy or VPN that terminates client connections before they reach LIVE555
- Configure firewall rules to permit RTSP only from known client subnets, reducing exposure to opportunistic session token replay
- Disable unauthenticated DESCRIBE and SETUP exchanges where the application stack supports stricter access policies
# Configuration example: restrict RTSP exposure with iptables
iptables -A INPUT -p tcp --dport 554 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 554 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
